Windows Analysis Report
GlassWireSetup.exe

Overview

General Information

Sample name:	GlassWireSetup.exe
Analysis ID:	1528306
MD5:	f1f2568ebb13c2cbe8c481bffa4922bb
SHA1:	c1a512a08eebea2d8d88e8ac53ca5628c566ef13
SHA256:	5bd765c18cbe76eddf97ff39aa20c36e6bbf801ee876fc3c07c4651577e711a3
Infos:

Detection

Score:	34
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	51
Range:	0 - 100

Signatures

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Hides threads from debuggers

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to open files direct via NTFS file id

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables security privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Explorer Process Tree Break

Sigma detected: Potentially Suspicious Rundll32 Activity

Sigma detected: Suspicious Rundll32 Setupapi.dll Activity

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C9EB7 DecryptFileW,	1_2_005C9EB7
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_005EF961
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C9C99 DecryptFileW,DecryptFileW,	1_2_005C9C99
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00879EB7 DecryptFileW,	2_2_00879EB7
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_0089F961
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00879C99 DecryptFileW,DecryptFileW,	2_2_00879C99
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	3_2_00E2F961
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E09C99 DecryptFileW,DecryptFileW,	3_2_00E09C99
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E09EB7 DecryptFileW,	3_2_00E09EB7

Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_5a6c2a26-8

Compliance

Uses 32bit PE files

Source: GlassWireSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Window detected: < &Back&Next >Cancel License AgreementPlease review the license terms before installing GlassWire.Press Page Down to see the rest of the agreement.GLASSWIRE SERVICES SUBSCRIPTION AGREEMENTTERMS AND CONDITIONSThese are the terms on which GlassWire a brand owned by Domotz Inc ("we" or "Domotz" or GlassWire) enable you the Subscriber ("you" or "Subscriber") to access our integrated technology platform as outlined in further detail in this Agreement our website and the Documentation which is available to Subscribers via the internet.These Terms of Service (the "Terms") including any extension annex and update together with the GlassWire Privacy Policy govern the way you will use our platform and all related services.Please read these terms carefully before you download any GlassWire Software use any GlassWire Services or Service Licenses. These terms explain who we are how we will provide the Services to you what to do if there is a problem and other important information.Please refer to our Privacy Policy for information on how we collect use and disclose information from our users. You acknowledge and agree that your use of the Services is subject to our Privacy Policy.ACCEPTANCEYou are deemed to have accepted the terms of this Agreement and will have created a binding contract with GlassWire upon any of the following events: (a) download or installation of any GlassWire Services or related Software; (b) access to or use of any GlassWire Services or related Software; (c) payment for GlassWire Services or related Software Subscription or Service Licenses; (d) entering into an order form for GlassWire Services or related Software Subscription or Service Licenses; or (e) clicking an "accept" button or other similar acknowledgment indicating your acceptance of this Agreement. If you do not agree to be bound by this Agreement you may not access or use the Services or any related. Please read through the entirety of this Agreement to review important provisions regarding intellectual property disclaimers limitations of liability indemnification waivers exclusive law and jurisdiction for resolution of disputes and other legal restrictions.By using our Services you agree to be bound by these Terms. If you don't agree to be bound by these Terms do not use the Services. If you are accessing and using the Services on behalf of a company (such as your employer) or other legal entity you represent and warrant that you have the authority to bind that company or other legal entity and each of its affiliates to these Terms. In that case "you" and "your" will refer to that company or other legal entity and its affiliates.INFORMATION ABOUT US AND CONTACT DETAILSThe subscription services provided by GlassWire to you under this Agreement including the GlassWire website cloud services desktop web and mobile applications and other services and functionality ("Services") are provided by Domotz Inc a company incorporated in the State of Delaware USA. Our office are a

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ASIO-LICENSE_1_0.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOIP-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOLITE2-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\LZ4-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\OPENSSL-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\PROTOBYUF-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.GPL3-EXCEPT.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDJSON-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDXML-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ZLIB-LICENSE.txt	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\3082\license.rtf	Jump to behavior

Source: GlassWireSetup.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 18.244.164.20:443 -> 192.168.2.4:57884 version: TLS 1.2

Source: GlassWireSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x86.exe, 00000001.00000000.1730721661.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000001.00000002.1930767326.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000002.00000002.1925069276.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, vc_redist.x86.exe, 00000002.00000000.1731634886.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, VC_redist.x86.exe, 00000003.00000000.1736115821.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000002.1918918991.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000003.1866100025.00000000012D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\GWInstSt.pdb source: GWInstSt.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\users\tvo\dev\securemix\glasswire-windows-driver\.build\bins\Production-x64\generic-driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2316678417.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2252884220.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: revocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\nsihelper.pdb source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003305000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568711641.000000006B252000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B19C000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: krevocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb"" source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUGOpenSSL 3.1.0 14 Mar 20233.1.0built on: Thu Aug 24 07:39:01 2023 UTCplatform: VC-conan-Release-Windows-x86-Visual Studio-16OPENSSLDIR: "C:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res"ENGINESDIR: "\lib\engines-3"MODULESDIR: "\lib\ossl-modules"CPUINFO: N/Anot available source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbU source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb,, source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb55 source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_005B3BC3
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005F4315 FindFirstFileW,FindClose,	1_2_005F4315
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_005C993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008A4315 FindFirstFileW,FindClose,	2_2_008A4315
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0087993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0087993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00863BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00863BC3
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E34315 FindFirstFileW,FindClose,	3_2_00E34315
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E0993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_00E0993E
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_00DF3BC3

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.glasswire.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /api/v1/cell?locale=ch HTTP/1.1Host: pivot.protect.glasswire.comUser-Agent: GW/3.4.694.0 (Desktop Windows 10; x64)Accept: /
Source: global traffic	HTTP traffic detected: GET /stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.glasswire.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pivot.protect.glasswire.com
Source: global traffic	DNS traffic detected: DNS query: api-eu-north-1.protect.glasswire.com
Source: global traffic	DNS traffic detected: DNS query: www.glasswire.com

Source: unknown

HTTP traffic detected: POST /api/v1.1/agent/device/register HTTP/1.1Host: api-eu-north-1.protect.glasswire.comUser-Agent: GW/3.4.694.0 (Desktop Windows 10; x64)Accept: */*Content-Type: application/jsonContent-Length: 41

Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/docB=
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/docF-
Source: vc_redist.x86.exe, VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vc_redist.x86.exe, 00000001.00000000.1730721661.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000001.00000002.1930767326.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000002.00000002.1925069276.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, vc_redist.x86.exe, 00000002.00000000.1731634886.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, VC_redist.x86.exe, 00000003.00000000.1736115821.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000002.1918918991.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000003.1866100025.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.htmlcDw
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlC
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlUDwm
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crlF
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl4Dw
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlz
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/ev2009a.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/ev2009a.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/ev2009a.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl?
Source: GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fsf.org/
Source: GlassWireSetup.exe, 00000000.00000002.2561235421.000000000040A000.00000004.00000001.01000000.00000003.sdmp, GlassWireSetup.exe, 00000000.00000000.1698449415.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.CAcert.org/0(
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.esT
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com:Dv
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.comvDwN
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/I
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLCopyright
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLOswaldLight
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: vc_redist.x86.exe, 00000002.00000002.1927445488.0000000003570000.00000004.00000800.00020000.00000000.sdmp, vc_redist.x86.exe, 00000002.00000002.1926951441.0000000003040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/ca.crt
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/ca.crt0J
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/ca.crtI
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=10
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=1004
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=100P
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=10L
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org1
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: GlassWireSetup.exe, 00000000.00000003.2235943913.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Copyright
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Licensed
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org/index.php?id=10
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org/index.php?id=100V
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org?
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crlsDwK
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org287
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.orgD
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.color.org)
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: GlassWireSetup.exe	String found in binary or memory: http://www.e-szigno.hu/SZSZ
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2560293632.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562623946.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com?
Source: GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: GlassWireSetup.exe, 00000000.00000003.2242587337.0000000002757000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
Source: GlassWireSetup.exe, 00000000.00000003.2238003241.0000000002751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/bsd-license.php)
Source: GlassWireSetup.exe, 00000000.00000003.2241198688.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: GlassWireSetup.exe	String found in binary or memory: http://www.pki.gva.es/cp
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G2
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G2u
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmD
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsK/
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sansoxygen.comhttp://www.sansoxygen.comThis
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdfB
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: GlassWireSetup.exe, 00000000.00000003.2560293632.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562623946.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.000000000069E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/k
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/rk
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/agent-api/v1/license/activate
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/agent-api/v1/license/activatek
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/device/register
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/device/register.
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event.
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event?
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/eventd74z
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/geoip-db/download
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/geoip-db/downloadJZ
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/heartbeat/%s
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/heartbeat/%su
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/v1/api
Source: GlassWireSetup.exe, 00000000.00000003.2237386093.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by/4.0/.
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://glasswire.com
Source: GlassWireSetup.exe, 00000000.00000003.1699586932.0000000002762000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://glasswire.com/contactDisplayVersion3.4.694HelpLinkhttps://glasswire.com/helpPublisherURLInfo
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login-eu-north-1.protect.glasswire.com/auth/realms/glasswire/protocol/openid-connect
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login-eu-north-1.protect.glasswire.com/auth/realms/glasswire/protocol/openid-connect/auth?cl
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.com
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.com/api/v1/cell
Source: GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.com/api/v1/celld6
Source: GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.comj6
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portal-eu-north-1.protect.glasswire.com
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://portal/auth/realms/glasswire/protocol/openid-connecthttps://login/api/v1.1https://api/api/v1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.GlassWire.com/privacy-policy.php
Source: GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.GlassWire.com/product-privacy-policy.php
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cacert.org/revoke.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cacert.org/revoke.crl00
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cacert.org/revoke.crl04
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: GlassWireSetup.exe, 00000000.00000003.2237386093.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.geonames.org
Source: GlassWireSetup.exe, 00000000.00000003.1699586932.0000000002762000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=
Source: GlassWireSetup.exe, 00000000.00000003.2237386093.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/geolite2/eula.
Source: GlassWireSetup.exe, 00000000.00000003.2554513226.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2316903879.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.microsoft.ct
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qt.io/licensing
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.vmware.com/support/developer/vima/)os.vendor:

Source: unknown	Network traffic detected: HTTP traffic on port 57848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57829
Source: unknown	Network traffic detected: HTTP traffic on port 57829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57848
Source: unknown	Network traffic detected: HTTP traffic on port 57884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57884
Source: unknown	Network traffic detected: HTTP traffic on port 57840 -> 443

Source: unknown

HTTPS traffic detected: 18.244.164.20:443 -> 192.168.2.4:57884 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405705

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.cat (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x86\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\x64\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x86\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.cat	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C1F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x64\gwdrv.cat	Jump to dropped file

System Summary

PE file contains section with special chars

Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040351C

Creates driver files

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Windows\System32\drivers\gwdrv.cat

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.cat	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.inf	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8bd.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{1679EF65-55F3-4248-B91E-6B3BE1A69CDF}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD41.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_atomic_wait.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{1AEA8854-7597-4CD3-948F-8DE364D94E07}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE2B1.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c9.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c9.msi
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\gwdrv.inf_amd64_54933c59b5293195
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

File deleted: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6E01	0_3_053F6E01
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6F7F	0_3_053F6F7F
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053E687D	0_3_053E687D
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6E01	0_3_053F6E01
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6F7F	0_3_053F6F7F
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00406C5F	0_2_00406C5F
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DC0FA	1_2_005DC0FA
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B6184	1_2_005B6184
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E022D	1_2_005E022D
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EA3B0	1_2_005EA3B0
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E0662	1_2_005E0662
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005BA7EF	1_2_005BA7EF
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EA85E	1_2_005EA85E
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DF919	1_2_005DF919
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C69CC	1_2_005C69CC
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E0A97	1_2_005E0A97
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E2B21	1_2_005E2B21
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E2D50	1_2_005E2D50
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EED4C	1_2_005EED4C
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DFE15	1_2_005DFE15
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008769CC	2_2_008769CC
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088C0FA	2_2_0088C0FA
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00866184	2_2_00866184
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089022D	2_2_0089022D
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089A3B0	2_2_0089A3B0
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00890662	2_2_00890662
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0086A7EF	2_2_0086A7EF
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089A85E	2_2_0089A85E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088F919	2_2_0088F919
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00890A97	2_2_00890A97
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00892B21	2_2_00892B21
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089ED4C	2_2_0089ED4C
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00892D50	2_2_00892D50
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088FE15	2_2_0088FE15
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1C0FA	3_2_00E1C0FA
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF6184	3_2_00DF6184
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2022D	3_2_00E2022D
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2A3B0	3_2_00E2A3B0
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E20662	3_2_00E20662
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DFA7EF	3_2_00DFA7EF
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2A85E	3_2_00E2A85E
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E069CC	3_2_00E069CC
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1F919	3_2_00E1F919
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E20A97	3_2_00E20A97
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E22B21	3_2_00E22B21
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2ED4C	3_2_00E2ED4C
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E22D50	3_2_00E22D50
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1FE15	3_2_00E1FE15

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00DF37D3 appears 496 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00E3061A appears 34 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00E331C7 appears 83 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00E3012F appears 678 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00DF1F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005F31C7 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005B1F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005F061A appears 34 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005F012F appears 678 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005B37D3 appears 496 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008A012F appears 678 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008A31C7 appears 83 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 00861F20 appears 54 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008A061A appears 34 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008637D3 appears 496 times

PE file contains more sections than normal

Source: windows.dll.0.dr	Static PE information: Number of sections : 17 > 10
Source: GWUnlock.exe.0.dr	Static PE information: Number of sections : 13 > 10
Source: GWCtlSrv.exe.0.dr	Static PE information: Number of sections : 18 > 10
Source: GWIdlMon.exe.0.dr	Static PE information: Number of sections : 16 > 10
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: Number of sections : 18 > 10
Source: GWEventLog.dll.0.dr	Static PE information: Number of sections : 16 > 10
Source: GWInstSt.exe.0.dr	Static PE information: Number of sections : 13 > 10
Source: nsihelper.dll.0.dr	Static PE information: Number of sections : 17 > 10
Source: GlassWire.exe.0.dr	Static PE information: Number of sections : 18 > 10

PE file does not import any functions

Source: mfc140fra.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140kor.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140enu.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140chs.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140jpn.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140ita.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140esn.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140cht.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140rus.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140deu.dll.10.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqico.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000002.2561576372.0000000000465000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameglasswire-setup-3.4.694.0-full.exe4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvgicon.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2316678417.00000000055AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000002.2569059053.000000006B256000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamensihelper.dll4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2252884220.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5OpenGL.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000002.2568711641.000000006B20B000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamensihelper.dll4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5WinExtras.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.1939470825.00000000030C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamensihelper.dll4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Svg.dll( vs GlassWireSetup.exe

Uses 32bit PE files

Source: GlassWireSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: GWCtlSrv.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997441924778762
Source: GWCtlSrv.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GWEventLog.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9965653153153153
Source: GWEventLog.dll.0.dr	Static PE information: Section: ZLIB complexity 1.0004127738402062
Source: GWEventLog.dll.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: nsihelper.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9932611792127072
Source: nsihelper.dll.0.dr	Static PE information: Section: ZLIB complexity 1.0000559812898089
Source: nsihelper.dll.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GWIdlMon.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931654169556172
Source: GWIdlMon.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9985463382633588
Source: GWIdlMon.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9940916856492027
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0107421875
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9909476902173913
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9970073084677419
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: Section: ZLIB complexity 0.997985665954416
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GlassWire.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9902023565573771
Source: GlassWire.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998014680631868
Source: GlassWire.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: Qt5Core.dll.0.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: windows.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9966714873568703
Source: windows.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9979254943502824
Source: windows.dll.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: sus34.evad.winEXE@50/230@3/4

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005EFD20 FormatMessageW,GetLastError,LocalFree,

1_2_005EFD20

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040351C
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	1_2_005B44E9
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008644E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	2_2_008644E9
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	3_2_00DF44E9

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049B1

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005D6945 ChangeServiceConfigW,GetLastError,

1_2_005D6945

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Program Files (x86)\GlassWire

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\GlassWire 3.4.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Users\user\AppData\Local\Temp\nsn9655.tmp

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: cabinet.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: msi.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: version.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: wininet.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: comres.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: clbcatq.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: msasn1.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: crypt32.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: feclient.dll	1_2_005B1070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: cabinet.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: msi.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: version.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: wininet.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: comres.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: clbcatq.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: msasn1.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: crypt32.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: feclient.dll	2_2_00861070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: cabinet.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: msi.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: version.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: wininet.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: comres.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: clbcatq.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: msasn1.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: crypt32.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: feclient.dll	3_2_00DF1070

Source: GlassWireSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf

Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: SELECT settings FROM firewall_data WHERE id = 1;
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: SELECT filename FROM stats_databases;
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='%s';
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: GlassWireSetup.exe	String found in binary or memory: Madrid (see current address at www.camerfirma.com/address)
Source: vc_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vc_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File read: C:\Users\user\Desktop\GlassWireSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GlassWireSetup.exe "C:\Users\user\Desktop\GlassWireSetup.exe"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" /install /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Process created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe "C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 /install /quiet /norestart
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4C6967F0-7861-4E5E-A266-A79F91D53451} {8D47B6A8-8425-45E8-BA0B-10ED43630BCC} 1148
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.inf" "9" "4e7eab47b" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Windows\system32\drivers"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\gwdrv.inf_amd64_54933c59b5293195\gwdrv.inf" "0" "4e7eab47b" "0000000000000170" "WinSta0\Default"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" start gwdrv
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start gwdrv
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"
Source: C:\Windows\SysWOW64\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wevtutil.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /fromwow64
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" "C:\Program Files (x86)\GlassWire\glasswire.exe"
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\GlassWire.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\glasswire.exe" -hide
Source: unknown	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\glasswire.exe" -hide
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" /install /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" start gwdrv	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" "C:\Program Files (x86)\GlassWire\glasswire.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Process created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe "C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 /install /quiet /norestart	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4C6967F0-7861-4E5E-A266-A79F91D53451} {8D47B6A8-8425-45E8-BA0B-10ED43630BCC} 1148	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.inf" "9" "4e7eab47b" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Windows\system32\drivers"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\gwdrv.inf_amd64_54933c59b5293195\gwdrv.inf" "0" "4e7eab47b" "0000000000000170" "WinSta0\Default"
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start gwdrv
Source: C:\Windows\SysWOW64\wevtutil.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /fromwow64
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\GlassWire.exe"

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msvcp140_atomic_wait.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: catsrvut.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: mfcsubs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: swprv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: version.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: slc.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\grpconv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\grpconv.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wevtutil.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: gweventlog.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wsnmp32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: gweventlog.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wsnmp32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: gweventlog.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wsnmp32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wevtapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wlanapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.ui.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: inputhost.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: languageoverlayutil.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5svg.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5winextras.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5widgets.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5gui.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5widgets.dll

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\GlassWire\uninstall.exe
Source: GlassWire.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\GlassWire\GlassWire.exe
Source: GlassWire 3.4.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\GlassWire\GlassWire.exe
Source: GlassWire.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\GlassWire\GlassWire.exe

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: I accept the terms of the License Agreement
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe

Window detected: Number of UI elements: 23

Source: GlassWireSetup.exe

Static PE information: certificate valid

Source: GlassWireSetup.exe

Static file information: File size 83546864 > 1048576

Source: GlassWireSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x86.exe, 00000001.00000000.1730721661.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000001.00000002.1930767326.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000002.00000002.1925069276.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, vc_redist.x86.exe, 00000002.00000000.1731634886.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, VC_redist.x86.exe, 00000003.00000000.1736115821.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000002.1918918991.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000003.1866100025.00000000012D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\GWInstSt.pdb source: GWInstSt.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\users\tvo\dev\securemix\glasswire-windows-driver\.build\bins\Production-x64\generic-driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2316678417.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2252884220.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: revocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\nsihelper.pdb source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003305000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568711641.000000006B252000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B19C000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: krevocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb"" source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUGOpenSSL 3.1.0 14 Mar 20233.1.0built on: Thu Aug 24 07:39:01 2023 UTCplatform: VC-conan-Release-Windows-x86-Visual Studio-16OPENSSLDIR: "C:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res"ENGINESDIR: "\lib\engines-3"MODULESDIR: "\lib\ossl-modules"CPUINFO: N/Anot available source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbU source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb,, source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb55 source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name: .debug
Source: GWInstSt.exe.0.dr	Static PE information: section name: .themida
Source: GWInstSt.exe.0.dr	Static PE information: section name: .boot
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name: .debug
Source: GWCtlSrv.exe.0.dr	Static PE information: section name: .themida
Source: GWCtlSrv.exe.0.dr	Static PE information: section name: .boot
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name: .debug
Source: GWEventLog.dll.0.dr	Static PE information: section name: .themida
Source: GWEventLog.dll.0.dr	Static PE information: section name: .boot
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name: .debug
Source: nsihelper.dll.0.dr	Static PE information: section name: .themida
Source: nsihelper.dll.0.dr	Static PE information: section name: .boot
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name: .debug
Source: GWIdlMon.exe.0.dr	Static PE information: section name: .themida
Source: GWIdlMon.exe.0.dr	Static PE information: section name: .boot
Source: vc_redist.x86.exe.0.dr	Static PE information: section name: .wixburn
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name: .debug
Source: GWUnlock.exe.0.dr	Static PE information: section name: .themida
Source: GWUnlock.exe.0.dr	Static PE information: section name: .boot
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name: .debug
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name: .themida
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name: .boot
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name: .debug
Source: GlassWire.exe.0.dr	Static PE information: section name: .themida
Source: GlassWire.exe.0.dr	Static PE information: section name: .boot
Source: Qt5Core.dll.0.dr	Static PE information: section name: .qtmimed
Source: qsvgicon.dll.0.dr	Static PE information: section name: .qtmetad
Source: qico.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name: .debug
Source: windows.dll.0.dr	Static PE information: section name: .themida
Source: windows.dll.0.dr	Static PE information: section name: .boot
Source: vc_redist.x86.exe.1.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.2.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.3.dr	Static PE information: section name: .wixburn
Source: mfc140.dll.10.dr	Static PE information: section name: .didat
Source: mfc140u.dll.10.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2F2F pushfd ; iretd	0_3_053F2F32
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2F2F pushfd ; iretd	0_3_053F2F32
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A23 pushfd ; iretd	0_3_053F2A3A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A23 pushfd ; iretd	0_3_053F2A3A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A1F pushfd ; iretd	0_3_053F2A22
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A1F pushfd ; iretd	0_3_053F2A22
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F271F pushfd ; iretd	0_3_053F2722
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F271F pushfd ; iretd	0_3_053F2722
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F881D push edx; ret	0_3_053F881E
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F7C15 push edx; ret	0_3_053F7C16
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E13 pushfd ; iretd	0_3_053F2E2A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E13 pushfd ; iretd	0_3_053F2E2A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2707 pushfd ; iretd	0_3_053F270A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2707 pushfd ; iretd	0_3_053F270A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C7B pushfd ; iretd	0_3_053F2D82
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C7B pushfd ; iretd	0_3_053F2D82
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E73 pushfd ; iretd	0_3_053F2EA2
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E73 pushfd ; iretd	0_3_053F2EA2
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E6F pushfd ; iretd	0_3_053F2E72
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E6F pushfd ; iretd	0_3_053F2E72
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2767 pushfd ; iretd	0_3_053F276A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2767 pushfd ; iretd	0_3_053F276A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C63 pushfd ; iretd	0_3_053F2C7A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C63 pushfd ; iretd	0_3_053F2C7A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2963 pushfd ; iretd	0_3_053F2992
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2963 pushfd ; iretd	0_3_053F2992
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F295F pushfd ; iretd	0_3_053F2962
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F295F pushfd ; iretd	0_3_053F2962
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C5F pushfd ; iretd	0_3_053F2C62
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C5F pushfd ; iretd	0_3_053F2C62
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053FA352 pushad ; ret	0_3_053FA365

Source: GWInstSt.exe.0.dr

Static PE information: section name: entropy: 7.5398444579069155

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\Temp\OLD945C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Svg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Widgets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\StartMenu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWIdlMon.exe	Jump to dropped file
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{8d5fdf81-7022-423f-bd8b-b513a1050ae1}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c7.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	File created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c8.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x86\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GlassWire.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c0.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Gui.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C50.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\x64\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWUpgradeMonitor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x86\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsihelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\SET89B0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\plugins\windows.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWEventLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5WinExtras.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5OpenGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWUnlock.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

File created: C:\ProgramData\Package Cache\{8d5fdf81-7022-423f-bd8b-b513a1050ae1}\VC_redist.x86.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C50.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\Temp\OLD945C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	File created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ASIO-LICENSE_1_0.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOIP-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOLITE2-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\LZ4-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\OPENSSL-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\PROTOBYUF-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.GPL3-EXCEPT.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDJSON-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDXML-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ZLIB-LICENSE.txt	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\3082\license.rtf	Jump to behavior

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\rundll32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlassWire			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Creates or modifies windows services

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire\Uninstall.lnk	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire\GlassWire.lnk	Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlassWire	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlassWire	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Hooking and other Techniques for Hiding and Protection

Tries to open files direct via NTFS file id

Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_3_053F5F84 rdtsc

0_3_053F5F84

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLD945C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\StartMenu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\GWIdlMon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c8.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\legacy-x86\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c0.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C50.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\x64\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\GWUpgradeMonitor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Dropped PE file which has not been started: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsihelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\win7-x86\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\SET89B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\plugins\windows.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\win7-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\Qt5OpenGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\GWUnlock.exe	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 4192	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6924	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 005EFE5Dh	1_2_005EFDC2
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 005EFE56h	1_2_005EFDC2
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0089FE5Dh	2_2_0089FDC2
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0089FE56h	2_2_0089FDC2
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E2FE5Dh	3_2_00E2FDC2
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E2FE56h	3_2_00E2FDC2

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_005B3BC3
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005F4315 FindFirstFileW,FindClose,	1_2_005F4315
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_005C993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008A4315 FindFirstFileW,FindClose,	2_2_008A4315
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0087993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0087993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00863BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00863BC3
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E34315 FindFirstFileW,FindClose,	3_2_00E34315
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E0993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_00E0993E
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_00DF3BC3

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F962D VirtualQuery,GetSystemInfo,

1_2_005F962D

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: VSSVC.exe, 00000005.00000003.1837229215.000002A5C7D7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^58,59,1,28,121,33,3,12,119,15,6,40,41,42,26,17,120,9,7,44,45,46,47$VMware vCenter Server Appliance
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^58,59,1,28,121,33,3,12,119,15,6,40,41,42,26,17,120,9,7,44,45,47$VMware vCenter Server Appliance
Source: SrTasks.exe, 00000008.00000003.1980973687.00000170906C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:Y
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(?:(?:Microsoft )?(Windows (?:[a-z]+\s[a-z]+\s\|[a-z]+\s)?Server (?:\d{4} R2\|\d{4}))(?:,\s\|\s)?([a-z]+)?(?: Evaluation)?(?: Edition)?(?:\s\|\swith(?:out)? Hyper-V\s)?(SP\d\|SP \d\|Service Pack \d)?)$Windows Server 2003 and lateros.vendor:'Microsoft', os.family:'Windows', os.product:'%1', os.edition:'%2', os.version:'%3'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aVMware Server ConsoleL
Source: vc_redist.x86.exe, 00000002.00000003.1914093228.00000000011C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )VMware, Inc.'
Source: GlassWireSetup.exe, 00000000.00000002.2561235421.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ^(?:VMWare Photon(?:\/)?(?:\s?Linux)?\s?(?:v)?(\d+?(?:\.\d+?)*?)?)$ q
Source: svchost.exe, 00000006.00000003.1844854538.000001AA63C79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SrTasks.exe, 00000008.00000003.1917033317.00000170906BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.h
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iVMware, Inc.
Source: GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual Infrastructure ClientL
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =PVVMware, Inc.
Source: GlassWireSetup.exe, 00000000.00000002.2561235421.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: m^(?:VMWare Photon(?:\/)?(?:\s?Linux)?\s?(?:v)?(\d+?(?:\.\d+?)*?)?)$Photon Linuxos.vendor:'VMware', os.family:'Linux', os.product:'Photon Linux', os.version:'%1', os.cpe23:'cpe:/o:vmware:photon_os:%1'
Source: svchost.exe, 00000006.00000003.1844854538.000001AA63C71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SrTasks.exe, 00000008.00000003.1981823212.00000170906E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000008.00000003.1954076075.00000170906BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:0
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(?:(?:Microsoft )?(Windows (?:[a-z]+\s[a-z]+\s\|[a-z]+\s)?Server (?:\d{4} R2\|\d{4}))(?:,\s\|\s)?([a-z]+)?(?: Evaluation)?(?: Edition)?(?:\s\|\swith(?:out)? Hyper-V\s)?(SP\d\|SP \d\|Service Pack \d)?)$Windows Server 2003 and lateros.vendor:'Microsoft'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(VMware ESXi?) (\d\.\d+\.\d+) build-\d+ VMware, Inc\. (\S+)$
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(?:(?:Oracle\|Sun)?\s?Solaris\s?((?:[789]\|10)+?(?:\.\d+?)*?)?)$5-z]+\s)?Server (?:\d{4} R2\|\d{4}))(?:,\s\|\s)?([a-z]+)?(?: Evaluation)?(?: Edition)?(?:\s\|\swith(?:out)? Hyper-V\s)?(SP\d\|SP \d\|Service Pack \d)?)$
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E^"vSphere Management Assistant ([\d\.]+)"$VMware vSphere Management assistant, which is a virtual machine (https://www.vmware.com/support/developer/vima/)os.vendor:'VMware', os.product:'vSphere Management Assistant', os.version:'%1'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(VMware ESXi?) (\d\.\d+\.\d+) build-\d+ VMware, Inc\. (\S+)$VMware ESX/ESXios.vendor:'VMware', os.family:'VMware ESX/ESXi', os.product:'%1', os.version:'%2', os.arch:'%3'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aVMware Remote Console-
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\GlassWireSetup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\GlassWireSetup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugObjectHandle

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_3_053F5F84 rdtsc

0_3_053F5F84

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005DE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_005DE625

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E4812 mov eax, dword ptr fs:[00000030h]	1_2_005E4812
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00894812 mov eax, dword ptr fs:[00000030h]	2_2_00894812
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E24812 mov eax, dword ptr fs:[00000030h]	3_2_00E24812

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005B38D4 GetProcessHeap,RtlAllocateHeap,

1_2_005B38D4

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_005DE188
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005DE625
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DE773 SetUnhandledExceptionFilter,	1_2_005DE773
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005E3BB0
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0088E188
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0088E625
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088E773 SetUnhandledExceptionFilter,	2_2_0088E773
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00893BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00893BB0
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00E1E188
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E1E625
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1E773 SetUnhandledExceptionFilter,	3_2_00E1E773
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E23BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E23BB0

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" start gwdrv	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Process created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe "C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 /install /quiet /norestart	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4C6967F0-7861-4E5E-A266-A79F91D53451} {8D47B6A8-8425-45E8-BA0B-10ED43630BCC} 1148	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start gwdrv

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "c:\users\user\appdata\local\temp\nsx9694.tmp\gwinstst.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=ten&platform=x64&update=0&install_id=8ac7009d4b52e62f54ad1f4176fbf27962f3eaf3f7dde916a08729fd64a8aeee&referrer=https%3a%2f%2fwww.google.com%2f&user_agent=mozilla%2f5.0+%28windows+nt+10.0%3b+win64%3b+x64%29+applewebkit%2f537.36+%28khtml%2c+like+gecko%29+chrome%2f129.0.0.0+safari%2f537.36+edg%2f129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "c:\users\user\appdata\local\temp\nsx9694.tmp\gwinstst.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=ten&platform=x64&update=0&install_id=8ac7009d4b52e62f54ad1f4176fbf27962f3eaf3f7dde916a08729fd64a8aeee&referrer=https%3a%2f%2fwww.google.com%2f&user_agent=mozilla%2f5.0+%28windows+nt+10.0%3b+win64%3b+x64%29+applewebkit%2f537.36+%28khtml%2c+like+gecko%29+chrome%2f129.0.0.0+safari%2f537.36+edg%2f129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F15CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

1_2_005F15CB

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F393B AllocateAndInitializeSid,CheckTokenMembership,

1_2_005F393B

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005DE9A7 cpuid

1_2_005DE9A7

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Queries volume information: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\logo.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.cat VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\imageformats\qico.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\lang\en_us.qm VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\imageformats\qico.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Users\user\AppData\Local\GlassWire\client-full\client.conf VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\lang\en_us.qm VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\imageformats\qico.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Users\user\AppData\Local\GlassWire\client-full\client.conf VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\lang\en_us.qm VolumeInformation

Queries time zone information

Source: C:\Windows\System32\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005C4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

1_2_005C4CE8

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005DE513 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_005DE513

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005B60BA GetUserNameW,GetLastError,

1_2_005B60BA

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F8733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_005F8733

Source: C:\Users\user\Desktop\GlassWireSetup.exe

0_2_0040351C

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.244.164.20	www.glasswire.com	United States	16509	AMAZON-02US	false
13.50.186.172	pivot.protect.glasswire.com	United States	16509	AMAZON-02US	false
16.16.13.164	api-eu-north-1.protect.glasswire.com	United States	unknown	unknown	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
api-eu-north-1.protect.glasswire.com	16.16.13.164	true
pivot.protect.glasswire.com	13.50.186.172	true
www.glasswire.com	18.244.164.20	true

Contacted URLs

Name	Malicious	Reputation
https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event	false	unknown
https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/device/register	false	unknown
https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357	false	unknown
https://pivot.protect.glasswire.com/api/v1/cell?locale=ch	false	unknown

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C9EB7 DecryptFileW,	1_2_005C9EB7
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_005EF961
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C9C99 DecryptFileW,DecryptFileW,	1_2_005C9C99
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00879EB7 DecryptFileW,	2_2_00879EB7
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_0089F961
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00879C99 DecryptFileW,DecryptFileW,	2_2_00879C99
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	3_2_00E2F961
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E09C99 DecryptFileW,DecryptFileW,	3_2_00E09C99
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E09EB7 DecryptFileW,	3_2_00E09EB7

Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_5a6c2a26-8

Compliance

Uses 32bit PE files

Source: GlassWireSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ASIO-LICENSE_1_0.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOIP-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOLITE2-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\LZ4-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\OPENSSL-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\PROTOBYUF-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.GPL3-EXCEPT.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDJSON-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDXML-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ZLIB-LICENSE.txt	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\3082\license.rtf	Jump to behavior

Source: GlassWireSetup.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 18.244.164.20:443 -> 192.168.2.4:57884 version: TLS 1.2

Source: GlassWireSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x86.exe, 00000001.00000000.1730721661.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000001.00000002.1930767326.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000002.00000002.1925069276.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, vc_redist.x86.exe, 00000002.00000000.1731634886.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, VC_redist.x86.exe, 00000003.00000000.1736115821.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000002.1918918991.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000003.1866100025.00000000012D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\GWInstSt.pdb source: GWInstSt.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\users\tvo\dev\securemix\glasswire-windows-driver\.build\bins\Production-x64\generic-driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2316678417.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2252884220.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: revocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\nsihelper.pdb source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003305000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568711641.000000006B252000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B19C000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: krevocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb"" source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUGOpenSSL 3.1.0 14 Mar 20233.1.0built on: Thu Aug 24 07:39:01 2023 UTCplatform: VC-conan-Release-Windows-x86-Visual Studio-16OPENSSLDIR: "C:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res"ENGINESDIR: "\lib\engines-3"MODULESDIR: "\lib\ossl-modules"CPUINFO: N/Anot available source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbU source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb,, source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb55 source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_005B3BC3
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005F4315 FindFirstFileW,FindClose,	1_2_005F4315
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_005C993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008A4315 FindFirstFileW,FindClose,	2_2_008A4315
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0087993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0087993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00863BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00863BC3
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E34315 FindFirstFileW,FindClose,	3_2_00E34315
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E0993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_00E0993E
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_00DF3BC3

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /api/v1/cell?locale=ch HTTP/1.1Host: pivot.protect.glasswire.comUser-Agent: GW/3.4.694.0 (Desktop Windows 10; x64)Accept: /
Source: global traffic	HTTP traffic detected: GET /stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.glasswire.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pivot.protect.glasswire.com
Source: global traffic	DNS traffic detected: DNS query: api-eu-north-1.protect.glasswire.com
Source: global traffic	DNS traffic detected: DNS query: www.glasswire.com

Source: unknown

Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/docB=
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/docF-
Source: vc_redist.x86.exe, VC_redist.x86.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vc_redist.x86.exe, 00000001.00000000.1730721661.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000001.00000002.1930767326.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000002.00000002.1925069276.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, vc_redist.x86.exe, 00000002.00000000.1731634886.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, VC_redist.x86.exe, 00000003.00000000.1736115821.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000002.1918918991.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000003.1866100025.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.htmlcDw
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlC
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlUDwm
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crlF
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl4Dw
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlz
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/ev2009a.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/ev2009a.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/ev2009a.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl?
Source: GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fsf.org/
Source: GlassWireSetup.exe, 00000000.00000002.2561235421.000000000040A000.00000004.00000001.01000000.00000003.sdmp, GlassWireSetup.exe, 00000000.00000000.1698449415.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.CAcert.org/0(
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.esT
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com:Dv
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.comvDwN
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/I
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLCopyright
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLOswaldLight
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcd.com0&
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: vc_redist.x86.exe, 00000002.00000002.1927445488.0000000003570000.00000004.00000800.00020000.00000000.sdmp, vc_redist.x86.exe, 00000002.00000002.1926951441.0000000003040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/ca.crt
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/ca.crt0J
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/ca.crtI
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=10
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=1004
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=100P
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org/index.php?id=10L
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.CAcert.org1
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: GlassWireSetup.exe, 00000000.00000003.2235943913.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Copyright
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Licensed
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org/index.php?id=10
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org/index.php?id=100V
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cacert.org?
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crlsDwK
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org287
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.orgD
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.color.org)
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: GlassWireSetup.exe	String found in binary or memory: http://www.e-szigno.hu/SZSZ
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2560293632.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562623946.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com?
Source: GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: GlassWireSetup.exe, 00000000.00000003.2242587337.0000000002757000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
Source: GlassWireSetup.exe, 00000000.00000003.2238003241.0000000002751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/bsd-license.php)
Source: GlassWireSetup.exe, 00000000.00000003.2241198688.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: GlassWireSetup.exe	String found in binary or memory: http://www.pki.gva.es/cp
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G2
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G2u
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmD
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsK/
Source: GlassWire.exe, 00000024.00000003.2591470657.0000000006A1F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sansoxygen.comhttp://www.sansoxygen.comThis
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdf04
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy.pdfB
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: GlassWireSetup.exe, 00000000.00000003.2560293632.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562623946.00000000006CE000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.000000000069E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/k
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valicert.com/rk
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/agent-api/v1/license/activate
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/agent-api/v1/license/activatek
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/device/register
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/device/register.
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event.
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/event?
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/api/v1.1/agent/eventd74z
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/geoip-db/download
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/geoip-db/downloadJZ
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/heartbeat/%s
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/endpoint-api/v1/endpoint/%s/heartbeat/%su
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api-eu-north-1.protect.glasswire.com/v1/api
Source: GlassWireSetup.exe, 00000000.00000003.2237386093.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by/4.0/.
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2246018078.000000000275E000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2247599754.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2248968233.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2250679639.0000000002752000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://glasswire.com
Source: GlassWireSetup.exe, 00000000.00000003.1699586932.0000000002762000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://glasswire.com/contactDisplayVersion3.4.694HelpLinkhttps://glasswire.com/helpPublisherURLInfo
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.00000000054C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login-eu-north-1.protect.glasswire.com/auth/realms/glasswire/protocol/openid-connect
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login-eu-north-1.protect.glasswire.com/auth/realms/glasswire/protocol/openid-connect/auth?cl
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.com
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.com/api/v1/cell
Source: GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.com/api/v1/celld6
Source: GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pivot.protect.glasswire.comj6
Source: GlassWireSetup.exe, 00000000.00000003.2554625404.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portal-eu-north-1.protect.glasswire.com
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://portal/auth/realms/glasswire/protocol/openid-connecthttps://login/api/v1.1https://api/api/v1
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.GlassWire.com/privacy-policy.php
Source: GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.GlassWire.com/product-privacy-policy.php
Source: GlassWireSetup.exe, GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cacert.org/revoke.crl
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cacert.org/revoke.crl00
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cacert.org/revoke.crl04
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: GlassWireSetup.exe, 00000000.00000003.2557586459.00000000053EF000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2556467013.00000000053E6000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2564008009.00000000053F0000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: GlassWireSetup.exe, 00000000.00000003.2237386093.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.geonames.org
Source: GlassWireSetup.exe, 00000000.00000003.1699586932.0000000002762000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=
Source: GlassWireSetup.exe, 00000000.00000003.2237386093.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/geolite2/eula.
Source: GlassWireSetup.exe, 00000000.00000003.2554513226.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2316903879.00000000055A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.microsoft.ct
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: GlassWireSetup.exe, 00000000.00000003.2311642643.0000000005424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: GlassWireSetup.exe, 00000000.00000003.2243073905.0000000002759000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.qt.io/licensing
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.vmware.com/support/developer/vima/)os.vendor:

Source: unknown	Network traffic detected: HTTP traffic on port 57848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57829
Source: unknown	Network traffic detected: HTTP traffic on port 57829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57848
Source: unknown	Network traffic detected: HTTP traffic on port 57884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57884
Source: unknown	Network traffic detected: HTTP traffic on port 57840 -> 443

Source: unknown

HTTPS traffic detected: 18.244.164.20:443 -> 192.168.2.4:57884 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\GlassWireSetup.exe

0_2_00405705

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.cat (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x86\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\x64\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x86\gwdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.cat	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C1F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x64\gwdrv.cat	Jump to dropped file

System Summary

PE file contains section with special chars

Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\GlassWireSetup.exe

0_2_0040351C

Creates driver files

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Windows\System32\drivers\gwdrv.cat

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.cat	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.inf	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8bd.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{1679EF65-55F3-4248-B91E-6B3BE1A69CDF}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD41.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_atomic_wait.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vcruntime140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c1.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{1AEA8854-7597-4CD3-948F-8DE364D94E07}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE2B1.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c9.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3bd8c9.msi
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\gwdrv.inf_amd64_54933c59b5293195
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

File deleted: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6E01	0_3_053F6E01
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6F7F	0_3_053F6F7F
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053E687D	0_3_053E687D
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6E01	0_3_053F6E01
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F6F7F	0_3_053F6F7F
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00406C5F	0_2_00406C5F
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DC0FA	1_2_005DC0FA
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B6184	1_2_005B6184
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E022D	1_2_005E022D
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EA3B0	1_2_005EA3B0
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E0662	1_2_005E0662
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005BA7EF	1_2_005BA7EF
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EA85E	1_2_005EA85E
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DF919	1_2_005DF919
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C69CC	1_2_005C69CC
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E0A97	1_2_005E0A97
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E2B21	1_2_005E2B21
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E2D50	1_2_005E2D50
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EED4C	1_2_005EED4C
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DFE15	1_2_005DFE15
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008769CC	2_2_008769CC
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088C0FA	2_2_0088C0FA
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00866184	2_2_00866184
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089022D	2_2_0089022D
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089A3B0	2_2_0089A3B0
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00890662	2_2_00890662
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0086A7EF	2_2_0086A7EF
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089A85E	2_2_0089A85E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088F919	2_2_0088F919
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00890A97	2_2_00890A97
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00892B21	2_2_00892B21
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089ED4C	2_2_0089ED4C
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00892D50	2_2_00892D50
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088FE15	2_2_0088FE15
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1C0FA	3_2_00E1C0FA
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF6184	3_2_00DF6184
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2022D	3_2_00E2022D
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2A3B0	3_2_00E2A3B0
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E20662	3_2_00E20662
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DFA7EF	3_2_00DFA7EF
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2A85E	3_2_00E2A85E
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E069CC	3_2_00E069CC
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1F919	3_2_00E1F919
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E20A97	3_2_00E20A97
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E22B21	3_2_00E22B21
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2ED4C	3_2_00E2ED4C
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E22D50	3_2_00E22D50
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1FE15	3_2_00E1FE15

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00DF37D3 appears 496 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00E3061A appears 34 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00E331C7 appears 83 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00E3012F appears 678 times
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: String function: 00DF1F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005F31C7 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005B1F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005F061A appears 34 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005F012F appears 678 times
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: String function: 005B37D3 appears 496 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008A012F appears 678 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008A31C7 appears 83 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 00861F20 appears 54 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008A061A appears 34 times
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: String function: 008637D3 appears 496 times

PE file contains more sections than normal

Source: windows.dll.0.dr	Static PE information: Number of sections : 17 > 10
Source: GWUnlock.exe.0.dr	Static PE information: Number of sections : 13 > 10
Source: GWCtlSrv.exe.0.dr	Static PE information: Number of sections : 18 > 10
Source: GWIdlMon.exe.0.dr	Static PE information: Number of sections : 16 > 10
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: Number of sections : 18 > 10
Source: GWEventLog.dll.0.dr	Static PE information: Number of sections : 16 > 10
Source: GWInstSt.exe.0.dr	Static PE information: Number of sections : 13 > 10
Source: nsihelper.dll.0.dr	Static PE information: Number of sections : 17 > 10
Source: GlassWire.exe.0.dr	Static PE information: Number of sections : 18 > 10

PE file does not import any functions

Source: mfc140fra.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140kor.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140enu.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140chs.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140jpn.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140ita.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140esn.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140cht.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140rus.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc140deu.dll.10.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqico.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000002.2561576372.0000000000465000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameglasswire-setup-3.4.694.0-full.exe4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvgicon.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2316678417.00000000055AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000002.2569059053.000000006B256000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamensihelper.dll4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2252884220.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5OpenGL.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000002.2568711641.000000006B20B000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamensihelper.dll4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5WinExtras.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegwdrv.sys4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.1939470825.00000000030C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamensihelper.dll4 vs GlassWireSetup.exe
Source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Svg.dll( vs GlassWireSetup.exe

Uses 32bit PE files

Source: GlassWireSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: GWCtlSrv.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997441924778762
Source: GWCtlSrv.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GWEventLog.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9965653153153153
Source: GWEventLog.dll.0.dr	Static PE information: Section: ZLIB complexity 1.0004127738402062
Source: GWEventLog.dll.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: nsihelper.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9932611792127072
Source: nsihelper.dll.0.dr	Static PE information: Section: ZLIB complexity 1.0000559812898089
Source: nsihelper.dll.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GWIdlMon.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931654169556172
Source: GWIdlMon.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9985463382633588
Source: GWIdlMon.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9940916856492027
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0107421875
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9909476902173913
Source: GWUnlock.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9970073084677419
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: Section: ZLIB complexity 0.997985665954416
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: GlassWire.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9902023565573771
Source: GlassWire.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9998014680631868
Source: GlassWire.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: Qt5Core.dll.0.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: windows.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9966714873568703
Source: windows.dll.0.dr	Static PE information: Section: ZLIB complexity 0.9979254943502824
Source: windows.dll.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: sus34.evad.winEXE@50/230@3/4

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005EFD20 FormatMessageW,GetLastError,LocalFree,

1_2_005EFD20

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040351C
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	1_2_005B44E9
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008644E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	2_2_008644E9
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	3_2_00DF44E9

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049B1

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005D6945 ChangeServiceConfigW,GetLastError,

1_2_005D6945

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Program Files (x86)\GlassWire

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\GlassWire 3.4.lnk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File created: C:\Users\user\AppData\Local\Temp\nsn9655.tmp

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: cabinet.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: msi.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: version.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: wininet.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: comres.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: clbcatq.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: msasn1.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: crypt32.dll	1_2_005B1070
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Command line argument: feclient.dll	1_2_005B1070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: cabinet.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: msi.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: version.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: wininet.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: comres.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: clbcatq.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: msasn1.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: crypt32.dll	2_2_00861070
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Command line argument: feclient.dll	2_2_00861070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: cabinet.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: msi.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: version.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: wininet.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: comres.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: clbcatq.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: msasn1.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: crypt32.dll	3_2_00DF1070
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Command line argument: feclient.dll	3_2_00DF1070

Source: GlassWireSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf

Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: SELECT settings FROM firewall_data WHERE id = 1;
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: SELECT filename FROM stats_databases;
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: SELECT count(*) FROM sqlite_master WHERE type='table' AND name='%s';
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003298000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B12F000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: GlassWireSetup.exe	String found in binary or memory: Madrid (see current address at www.camerfirma.com/address)
Source: vc_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vc_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\GlassWireSetup.exe

File read: C:\Users\user\Desktop\GlassWireSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GlassWireSetup.exe "C:\Users\user\Desktop\GlassWireSetup.exe"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" /install /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Process created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe "C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 /install /quiet /norestart
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4C6967F0-7861-4E5E-A266-A79F91D53451} {8D47B6A8-8425-45E8-BA0B-10ED43630BCC} 1148
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.inf" "9" "4e7eab47b" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Windows\system32\drivers"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\gwdrv.inf_amd64_54933c59b5293195\gwdrv.inf" "0" "4e7eab47b" "0000000000000170" "WinSta0\Default"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" start gwdrv
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start gwdrv
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"
Source: C:\Windows\SysWOW64\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wevtutil.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /fromwow64
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" "C:\Program Files (x86)\GlassWire\glasswire.exe"
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\GlassWire.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\glasswire.exe" -hide
Source: unknown	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\glasswire.exe" -hide
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" /install /quiet /norestart	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=Ten&platform=x64&update=0&install_id=8AC7009D4B52E62F54AD1F4176FBF27962F3EAF3F7DDE916A08729FD64A8AEEE&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F129.0.0.0+Safari%2F537.36+Edg%2F129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" start gwdrv	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" "C:\Program Files (x86)\GlassWire\glasswire.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Process created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe "C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 /install /quiet /norestart	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4C6967F0-7861-4E5E-A266-A79F91D53451} {8D47B6A8-8425-45E8-BA0B-10ED43630BCC} 1148	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.inf" "9" "4e7eab47b" "0000000000000144" "WinSta0\Default" "0000000000000170" "208" "C:\Windows\system32\drivers"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\gwdrv.inf_amd64_54933c59b5293195\gwdrv.inf" "0" "4e7eab47b" "0000000000000170" "WinSta0\Default"
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start gwdrv
Source: C:\Windows\SysWOW64\wevtutil.exe	Process created: C:\Windows\System32\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /fromwow64
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\GlassWire\GlassWire.exe "C:\Program Files (x86)\GlassWire\GlassWire.exe"

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msvcp140_atomic_wait.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: catsrvut.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: mfcsubs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: swprv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: version.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: slc.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\runonce.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\grpconv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\grpconv.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wevtutil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wevtutil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wevtutil.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wevtutil.exe	Section loaded: wevtapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: gweventlog.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wsnmp32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: gweventlog.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wsnmp32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: gweventlog.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wsnmp32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wevtapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wlanapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windows.ui.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: inputhost.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: languageoverlayutil.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5svg.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5winextras.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5widgets.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5gui.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: msvcp140_atomic_wait.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Section loaded: qt5widgets.dll

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\GlassWire\uninstall.exe
Source: GlassWire.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\GlassWire\GlassWire.exe
Source: GlassWire 3.4.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\GlassWire\GlassWire.exe
Source: GlassWire.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\GlassWire\GlassWire.exe

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: I accept the terms of the License Agreement
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Next >
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe

Window detected: Number of UI elements: 23

Source: GlassWireSetup.exe

Static PE information: certificate valid

Source: GlassWireSetup.exe

Static file information: File size 83546864 > 1048576

Source: GlassWireSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vc_redist.x86.exe, 00000001.00000000.1730721661.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000001.00000002.1930767326.00000000005FB000.00000002.00000001.01000000.00000005.sdmp, vc_redist.x86.exe, 00000002.00000002.1925069276.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, vc_redist.x86.exe, 00000002.00000000.1731634886.00000000008AB000.00000002.00000001.01000000.00000007.sdmp, VC_redist.x86.exe, 00000003.00000000.1736115821.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000002.1918918991.0000000000E3B000.00000002.00000001.01000000.0000000C.sdmp, VC_redist.x86.exe, 00000003.00000003.1866100025.00000000012D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: GlassWireSetup.exe, 00000000.00000003.2253359318.0000000002756000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\GWInstSt.pdb source: GWInstSt.exe
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\users\tvo\dev\securemix\glasswire-windows-driver\.build\bins\Production-x64\generic-driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2316678417.00000000055AC000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.2252884220.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: revocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003252000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins\workspace\Glasswire-Consumer-rc\.build\build\msvc-win-x86-release-full-production\bin\nsihelper.pdb source: GlassWireSetup.exe, 00000000.00000003.1938926313.0000000003305000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568711641.000000006B252000.00000002.00000001.01000000.0000000F.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B19C000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: krevocationDateX509_REVOKEDlastUpdateX509_CRL_INFOcrlX509_CRLcrypto\x509\x_crl.cX509_CRL_add0_revokedX509_CRL_METHOD_newcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUG;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res\lib\ossl-modules.dll@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B0E9000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2251540397.0000000002758000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2247096759.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb"" source: GlassWireSetup.exe, 00000000.00000003.2253903688.0000000002753000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MD /Zl /Gs0 /GF /Gy -MD -O2 -Ob2 -MD -O2 -Ob2 -DL_ENDIAN -DOPENSSL_PIC -DNDEBUGOpenSSL 3.1.0 14 Mar 20233.1.0built on: Thu Aug 24 07:39:01 2023 UTCplatform: VC-conan-Release-Windows-x86-Visual Studio-16OPENSSLDIR: "C:\Users\jenkins\.conan\data\openssl\3.1.0\_\_\package\85c19aeb1a95eed600c2a699e15fa9ae0bd53a34\res"ENGINESDIR: "\lib\engines-3"MODULESDIR: "\lib\ossl-modules"CPUINFO: N/Anot available source: GlassWireSetup.exe, 00000000.00000003.1938926313.00000000031D0000.00000004.00001000.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2568137667.000000006B067000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\win7-release\x64\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2249868436.0000000002755000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\dev\src\hg\manycam\glasswire\core\build\bin\vc110-release\x86\driver\gwdrv.pdb source: GlassWireSetup.exe, 00000000.00000003.2248500311.000000000275C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb.. source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbU source: GlassWireSetup.exe, 00000000.00000003.2211012822.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: GlassWireSetup.exe, 00000000.00000003.2223516885.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb,, source: GlassWireSetup.exe, 00000000.00000003.2219603181.000000000275E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: GlassWireSetup.exe, 00000000.00000003.2222713240.000000000275D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: GlassWireSetup.exe, 00000000.00000003.2263010670.0000000002750000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5OpenGL.pdb55 source: GlassWireSetup.exe, 00000000.00000003.2218822316.000000000275B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name:
Source: GWInstSt.exe.0.dr	Static PE information: section name: .debug
Source: GWInstSt.exe.0.dr	Static PE information: section name: .themida
Source: GWInstSt.exe.0.dr	Static PE information: section name: .boot
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name:
Source: GWCtlSrv.exe.0.dr	Static PE information: section name: .debug
Source: GWCtlSrv.exe.0.dr	Static PE information: section name: .themida
Source: GWCtlSrv.exe.0.dr	Static PE information: section name: .boot
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name:
Source: GWEventLog.dll.0.dr	Static PE information: section name: .debug
Source: GWEventLog.dll.0.dr	Static PE information: section name: .themida
Source: GWEventLog.dll.0.dr	Static PE information: section name: .boot
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name:
Source: nsihelper.dll.0.dr	Static PE information: section name: .debug
Source: nsihelper.dll.0.dr	Static PE information: section name: .themida
Source: nsihelper.dll.0.dr	Static PE information: section name: .boot
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name:
Source: GWIdlMon.exe.0.dr	Static PE information: section name: .debug
Source: GWIdlMon.exe.0.dr	Static PE information: section name: .themida
Source: GWIdlMon.exe.0.dr	Static PE information: section name: .boot
Source: vc_redist.x86.exe.0.dr	Static PE information: section name: .wixburn
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name:
Source: GWUnlock.exe.0.dr	Static PE information: section name: .debug
Source: GWUnlock.exe.0.dr	Static PE information: section name: .themida
Source: GWUnlock.exe.0.dr	Static PE information: section name: .boot
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name:
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name: .debug
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name: .themida
Source: GWUpgradeMonitor.exe.0.dr	Static PE information: section name: .boot
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name:
Source: GlassWire.exe.0.dr	Static PE information: section name: .debug
Source: GlassWire.exe.0.dr	Static PE information: section name: .themida
Source: GlassWire.exe.0.dr	Static PE information: section name: .boot
Source: Qt5Core.dll.0.dr	Static PE information: section name: .qtmimed
Source: qsvgicon.dll.0.dr	Static PE information: section name: .qtmetad
Source: qico.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name:
Source: windows.dll.0.dr	Static PE information: section name: .debug
Source: windows.dll.0.dr	Static PE information: section name: .themida
Source: windows.dll.0.dr	Static PE information: section name: .boot
Source: vc_redist.x86.exe.1.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.2.dr	Static PE information: section name: .wixburn
Source: VC_redist.x86.exe.3.dr	Static PE information: section name: .wixburn
Source: mfc140.dll.10.dr	Static PE information: section name: .didat
Source: mfc140u.dll.10.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2F2F pushfd ; iretd	0_3_053F2F32
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2F2F pushfd ; iretd	0_3_053F2F32
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A23 pushfd ; iretd	0_3_053F2A3A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A23 pushfd ; iretd	0_3_053F2A3A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A1F pushfd ; iretd	0_3_053F2A22
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2A1F pushfd ; iretd	0_3_053F2A22
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F271F pushfd ; iretd	0_3_053F2722
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F271F pushfd ; iretd	0_3_053F2722
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F881D push edx; ret	0_3_053F881E
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F7C15 push edx; ret	0_3_053F7C16
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E13 pushfd ; iretd	0_3_053F2E2A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E13 pushfd ; iretd	0_3_053F2E2A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2707 pushfd ; iretd	0_3_053F270A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2707 pushfd ; iretd	0_3_053F270A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C7B pushfd ; iretd	0_3_053F2D82
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C7B pushfd ; iretd	0_3_053F2D82
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E73 pushfd ; iretd	0_3_053F2EA2
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E73 pushfd ; iretd	0_3_053F2EA2
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E6F pushfd ; iretd	0_3_053F2E72
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2E6F pushfd ; iretd	0_3_053F2E72
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2767 pushfd ; iretd	0_3_053F276A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2767 pushfd ; iretd	0_3_053F276A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C63 pushfd ; iretd	0_3_053F2C7A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C63 pushfd ; iretd	0_3_053F2C7A
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2963 pushfd ; iretd	0_3_053F2992
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2963 pushfd ; iretd	0_3_053F2992
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F295F pushfd ; iretd	0_3_053F2962
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F295F pushfd ; iretd	0_3_053F2962
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C5F pushfd ; iretd	0_3_053F2C62
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053F2C5F pushfd ; iretd	0_3_053F2C62
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_3_053FA352 pushad ; ret	0_3_053FA365

Source: GWInstSt.exe.0.dr

Static PE information: section name: entropy: 7.5398444579069155

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\Temp\OLD945C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Svg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Widgets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\StartMenu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWIdlMon.exe	Jump to dropped file
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	File created: C:\ProgramData\Package Cache\{8d5fdf81-7022-423f-bd8b-b513a1050ae1}\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c7.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	File created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c8.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\legacy-x86\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GlassWire.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c0.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5Gui.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C50.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\x64\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWUpgradeMonitor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x86\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsihelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\SET89B0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\plugins\windows.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3bd8c6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWEventLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5WinExtras.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\driver\win7-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\Qt5OpenGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\GWUnlock.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

File created: C:\ProgramData\Package Cache\{8d5fdf81-7022-423f-bd8b-b513a1050ae1}\VC_redist.x86.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C50.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\Temp\OLD945C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	File created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Windows\System32\drivers\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ASIO-LICENSE_1_0.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOIP-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\GEOLITE2-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\LZ4-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\OPENSSL-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\PROTOBYUF-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.GPL3-EXCEPT.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\QT-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDJSON-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\RAPIDXML-LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\Program Files (x86)\GlassWire\copyrights\ZLIB-LICENSE.txt	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	File created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\3082\license.rtf	Jump to behavior

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\rundll32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlassWire			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Creates or modifies windows services

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire\Uninstall.lnk	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire\GlassWire.lnk	Jump to behavior

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlassWire	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GlassWire	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {8d5fdf81-7022-423f-bd8b-b513a1050ae1}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\System32\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv

Hooking and other Techniques for Hiding and Protection

Tries to open files direct via NTFS file id

Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_3_053F5F84 rdtsc

0_3_053F5F84

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\Temp\OLD945C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c5.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\StartMenu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\GWIdlMon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\legacy-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c8.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\legacy-x86\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c0.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\SET8C50.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\x64\gwdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\GWUpgradeMonitor.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\56FE97613F5584249BE1B6B31E6AC9FD\14.29.30139\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Dropped PE file which has not been started: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsihelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\win7-x86\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\SET89B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\plugins\windows.dll	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1b9ae675-a69a-784f-a0a3-d898132a09ba}\gwdrv.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3bd8c6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\driver\win7-x64\gwdrv.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\Qt5OpenGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\GlassWire\GWUnlock.exe	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Evaded block: after key decision

Found evasive API chain (date check)

Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 4192	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6924	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 005EFE5Dh	1_2_005EFDC2
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005EFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 005EFE56h	1_2_005EFDC2
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0089FE5Dh	2_2_0089FDC2
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0089FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0089FE56h	2_2_0089FDC2
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E2FE5Dh	3_2_00E2FDC2
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E2FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E2FE56h	3_2_00E2FDC2

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005B3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_005B3BC3
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005F4315 FindFirstFileW,FindClose,	1_2_005F4315
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005C993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_005C993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_008A4315 FindFirstFileW,FindClose,	2_2_008A4315
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0087993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0087993E
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00863BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00863BC3
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E34315 FindFirstFileW,FindClose,	3_2_00E34315
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E0993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	3_2_00E0993E
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00DF3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	3_2_00DF3BC3

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F962D VirtualQuery,GetSystemInfo,

1_2_005F962D

Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: VSSVC.exe, 00000005.00000003.1837229215.000002A5C7D7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^58,59,1,28,121,33,3,12,119,15,6,40,41,42,26,17,120,9,7,44,45,46,47$VMware vCenter Server Appliance
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^58,59,1,28,121,33,3,12,119,15,6,40,41,42,26,17,120,9,7,44,45,47$VMware vCenter Server Appliance
Source: SrTasks.exe, 00000008.00000003.1980973687.00000170906C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:Y
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(?:(?:Microsoft )?(Windows (?:[a-z]+\s[a-z]+\s\|[a-z]+\s)?Server (?:\d{4} R2\|\d{4}))(?:,\s\|\s)?([a-z]+)?(?: Evaluation)?(?: Edition)?(?:\s\|\swith(?:out)? Hyper-V\s)?(SP\d\|SP \d\|Service Pack \d)?)$Windows Server 2003 and lateros.vendor:'Microsoft', os.family:'Windows', os.product:'%1', os.edition:'%2', os.version:'%3'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aVMware Server ConsoleL
Source: vc_redist.x86.exe, 00000002.00000003.1914093228.00000000011C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )VMware, Inc.'
Source: GlassWireSetup.exe, 00000000.00000002.2561235421.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: ^(?:VMWare Photon(?:\/)?(?:\s?Linux)?\s?(?:v)?(\d+?(?:\.\d+?)*?)?)$ q
Source: svchost.exe, 00000006.00000003.1844854538.000001AA63C79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SrTasks.exe, 00000008.00000003.1917033317.00000170906BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.h
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iVMware, Inc.
Source: GlassWireSetup.exe, 00000000.00000003.2250462089.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000002.2562039781.0000000000661000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1950277165.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1945493985.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1943361465.000000000066B000.00000004.00000020.00020000.00000000.sdmp, GlassWireSetup.exe, 00000000.00000003.1949040704.000000000066B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual Infrastructure ClientL
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: =PVVMware, Inc.
Source: GlassWireSetup.exe, 00000000.00000002.2561235421.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: m^(?:VMWare Photon(?:\/)?(?:\s?Linux)?\s?(?:v)?(\d+?(?:\.\d+?)*?)?)$Photon Linuxos.vendor:'VMware', os.family:'Linux', os.product:'Photon Linux', os.version:'%1', os.cpe23:'cpe:/o:vmware:photon_os:%1'
Source: svchost.exe, 00000006.00000003.1844854538.000001AA63C71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SrTasks.exe, 00000008.00000003.1981823212.00000170906E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000008.00000003.1954076075.00000170906BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:0
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(?:(?:Microsoft )?(Windows (?:[a-z]+\s[a-z]+\s\|[a-z]+\s)?Server (?:\d{4} R2\|\d{4}))(?:,\s\|\s)?([a-z]+)?(?: Evaluation)?(?: Edition)?(?:\s\|\swith(?:out)? Hyper-V\s)?(SP\d\|SP \d\|Service Pack \d)?)$Windows Server 2003 and lateros.vendor:'Microsoft'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(VMware ESXi?) (\d\.\d+\.\d+) build-\d+ VMware, Inc\. (\S+)$
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(?:(?:Oracle\|Sun)?\s?Solaris\s?((?:[789]\|10)+?(?:\.\d+?)*?)?)$5-z]+\s)?Server (?:\d{4} R2\|\d{4}))(?:,\s\|\s)?([a-z]+)?(?: Evaluation)?(?: Edition)?(?:\s\|\swith(?:out)? Hyper-V\s)?(SP\d\|SP \d\|Service Pack \d)?)$
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E^"vSphere Management Assistant ([\d\.]+)"$VMware vSphere Management assistant, which is a virtual machine (https://www.vmware.com/support/developer/vima/)os.vendor:'VMware', os.product:'vSphere Management Assistant', os.version:'%1'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^(VMware ESXi?) (\d\.\d+\.\d+) build-\d+ VMware, Inc\. (\S+)$VMware ESX/ESXios.vendor:'VMware', os.family:'VMware ESX/ESXi', os.product:'%1', os.version:'%2', os.arch:'%3'
Source: GlassWireSetup.exe, 00000000.00000003.2314112487.000000000275E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: aVMware Remote Console-
Source: GlassWireSetup.exe, 00000000.00000003.2217905186.0000000002754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\GlassWireSetup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\GlassWireSetup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Process queried: DebugObjectHandle

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\GlassWireSetup.exe

Code function: 0_3_053F5F84 rdtsc

0_3_053F5F84

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005DE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_005DE625

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E4812 mov eax, dword ptr fs:[00000030h]	1_2_005E4812
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00894812 mov eax, dword ptr fs:[00000030h]	2_2_00894812
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E24812 mov eax, dword ptr fs:[00000030h]	3_2_00E24812

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005B38D4 GetProcessHeap,RtlAllocateHeap,

1_2_005B38D4

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_005DE188
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005DE625
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005DE773 SetUnhandledExceptionFilter,	1_2_005DE773
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Code function: 1_2_005E3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005E3BB0
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0088E188
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0088E625
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_0088E773 SetUnhandledExceptionFilter,	2_2_0088E773
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Code function: 2_2_00893BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00893BB0
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00E1E188
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E1E625
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E1E773 SetUnhandledExceptionFilter,	3_2_00E1E773
Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe	Code function: 3_2_00E23BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00E23BB0

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\System32\net.exe "C:\Windows\system32\net.exe" start gwdrv	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe "C:\Windows\system32\wevtutil.exe" im "C:\Users\user\AppData\Local\Temp\nsx9694.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe "C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe	Process created: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe "C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe" -burn.filehandle.attached=524 -burn.filehandle.self=640 /install /quiet /norestart	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Process created: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe "C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4C6967F0-7861-4E5E-A266-A79F91D53451} {8D47B6A8-8425-45E8-BA0B-10ED43630BCC} 1148	Jump to behavior
Source: C:\Windows\System32\runonce.exe	Process created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start gwdrv

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "c:\users\user\appdata\local\temp\nsx9694.tmp\gwinstst.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=ten&platform=x64&update=0&install_id=8ac7009d4b52e62f54ad1f4176fbf27962f3eaf3f7dde916a08729fd64a8aeee&referrer=https%3a%2f%2fwww.google.com%2f&user_agent=mozilla%2f5.0+%28windows+nt+10.0%3b+win64%3b+x64%29+applewebkit%2f537.36+%28khtml%2c+like+gecko%29+chrome%2f129.0.0.0+safari%2f537.36+edg%2f129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\GWInstSt.exe "c:\users\user\appdata\local\temp\nsx9694.tmp\gwinstst.exe" "https://www.glasswire.com/stat/install.php?v=3.4.694&build_type=full&os=ten&platform=x64&update=0&install_id=8ac7009d4b52e62f54ad1f4176fbf27962f3eaf3f7dde916a08729fd64a8aeee&referrer=https%3a%2f%2fwww.google.com%2f&user_agent=mozilla%2f5.0+%28windows+nt+10.0%3b+win64%3b+x64%29+applewebkit%2f537.36+%28khtml%2c+like+gecko%29+chrome%2f129.0.0.0+safari%2f537.36+edg%2f129.0.0.0&ga_client_id=1231827075.1728319357" "nsis$$.tmp"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

1_2_005F15CB

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F393B AllocateAndInitializeSid,CheckTokenMembership,

1_2_005F393B

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005DE9A7 cpuid

1_2_005DE9A7

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GlassWireSetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FAC60DB1-A697-45EE-963C-3E79552A0F30}\.cr\vc_redist.x86.exe	Queries volume information: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.ba\logo.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{1b774c08-0e2d-f04a-affb-563599d0a20e}\gwdrv.cat VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\imageformats\qico.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\lang\en_us.qm VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\imageformats\qico.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Users\user\AppData\Local\GlassWire\client-full\client.conf VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\lang\en_us.qm VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\platforms\qwindows.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\iconengines\qsvgicon.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\imageformats\qico.dll VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Users\user\AppData\Local\GlassWire\client-full\client.conf VolumeInformation
Source: C:\Program Files (x86)\GlassWire\GlassWire.exe	Queries volume information: C:\Program Files (x86)\GlassWire\lang\en_us.qm VolumeInformation

Queries time zone information

Source: C:\Windows\System32\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005C4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

1_2_005C4CE8

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005DE513 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_005DE513

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005B60BA GetUserNameW,GetLastError,

1_2_005B60BA

Source: C:\Users\user\AppData\Local\Temp\nsx9694.tmp\vc_redist.x86.exe

Code function: 1_2_005F8733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_005F8733

Source: C:\Users\user\Desktop\GlassWireSetup.exe

0_2_0040351C

Source: C:\Windows\Temp\{A3612FE9-3C22-4098-98C3-2CD91218666B}\.be\VC_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1528306
Product:	CloudBasic
Start time:	18:57:51
Start date:	07.10.2024
Sample:	GlassWireSetup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f1f2568ebb13c2cbe8c481bffa4922bb
SHA1:	c1a512a08eebea2d8d88e8ac53ca5628c566ef13
SHA256:	5bd765c18cbe76eddf97ff39aa20c36e6bbf801ee876fc3c07c4651577e711a3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report GlassWireSetup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
GlassWireSetup.exe